Windows Analysis Report
172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe

Overview

General Information

Sample name: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe
Analysis ID: 1527171
MD5: 8e177d78ae583957804b5a933d6a3f1e
SHA1: edb0a9379263c6a0a12dd77df7d2abe373a24722
SHA256: 4793c4f1d490d454d761f7947b6451c07fbbc8639013f5c80b3f493e7c6cb6eb
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://quantumqube.org/index.php", "https://quantumqube.org/index.php", "http://innovixus.org/index.php", "https://innovixus.org/index.php"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\hfetwhc ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW, 7_2_007E3098
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW, 7_2_007E3717
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E3E04 RtlCompareMemory,CryptUnprotectData, 7_2_007E3E04
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW, 7_2_007E11E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E1198 CryptBinaryToStringA,CryptBinaryToStringA, 7_2_007E1198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA, 7_2_007E123B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E1FCE CryptUnprotectData,RtlMoveMemory, 7_2_007E1FCE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0322178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 9_2_0322178C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_0322118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 9_2_0322118D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_03002404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA, 11_2_03002404
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0300245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA, 11_2_0300245E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0300263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext, 11_2_0300263E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C1221 CryptBinaryToStringA,CryptBinaryToStringA, 13_2_030C1221
Uses 32bit PE files
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt Jump to behavior
Source: Binary string: WalletProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: walletservice.pdbGCTL source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WalletProxy.pdb source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xy.pdb source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WalletBackgroundServiceProxy.pdb source: explorer.exe, 0000000D.00000003.2700964728.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
Source: Binary string: WalletBackgroundServiceProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
Source: Binary string: xy.pdbGCT.r source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: walletservice.pdb source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xy.pdbGCT.orp source: explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 7_2_007E2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 7_2_007E1D4A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 7_2_007E3ED9
Source: C:\Windows\explorer.exe Code function: 8_2_00A330A8 FindFirstFileW,FindNextFileW,FindClose, 8_2_00A330A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 9_2_032215BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 9_2_032213FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 9_2_032214D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C2240 FindFirstFileW,FindNextFileW,FindClose, 13_2_030C2240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C18E0 lstrcatW,lstrcatW,PathCombineW,lstrcatW,PathRemoveFileSpecW,FindFirstFileExW,lstrcmpiW,PathCombineW,PathCombineW,FindNextFileW,FindClose, 13_2_030C18E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C20C1 FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 13_2_030C20C1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C1A96 GetTempPathW,GetTempFileNameW,DeleteFileW,PathRemoveExtensionW,StrRChrW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,StrStrIW,SHGetFolderPathW,PathFindFileNameW,PathAppendW,ExpandEnvironmentStringsW, 13_2_030C1A96
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49746 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49734 -> 198.54.117.242:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49748 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49752 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49749 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49753 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49751 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49750 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49742 -> 198.54.117.242:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49730 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49738 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49714 -> 194.87.189.87:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49718 -> 198.54.117.242:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49747 -> 194.87.189.87:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://quantumqube.org/index.php
Source: Malware configuration extractor URLs: https://quantumqube.org/index.php
Source: Malware configuration extractor URLs: http://innovixus.org/index.php
Source: Malware configuration extractor URLs: https://innovixus.org/index.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.242 198.54.117.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 194.87.189.87:80 -> 192.168.2.8:49746
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upgyyhdoyghspm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smuegklsriebfq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: innovixus.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drfkgcucoqvlrnnc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://thbqljycmivxnpmr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: innovixus.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rdycpqjqlugnms.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crwqlqtuysbj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: innovixus.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qlijxlatgdyt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quantumqube.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quantumqube.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 6348785Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wqvfywivxptqmt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://raievqxnfbig.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvywjtocjkatexf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mxfkxoyxtgh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxdsgfawkutaw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: explorer.exe, 0000000D.00000003.2621735460.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2621306051.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2447348106.0000000003510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "www.facebook.com", equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: quantumqube.org
Source: global traffic DNS traffic detected: DNS query: innovixus.org
Source: unknown HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upgyyhdoyghspm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: quantumqube.org
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Oct 2024 19:27:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingServer: namecheap-nginxData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:27:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 66 37 30 0d 0a 40 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 27 d2 6c ac 11 c6 52 d1 3b 37 d7 a5 36 82 b4 8a ab 80 da 1b be 00 a0 92 05 00 03 0c a7 32 01 0b 00 00 07 00 9e 03 00 00 62 02 28 96 e9 7a 2a f4 cb 78 52 7f 40 00 50 00 77 c0 64 47 47 36 9c 8d 96 4a ed d1 9e d6 80 c4 6c 33 99 24 a7 b4 b4 35 c3 e1 cb 26 ef 22 79 42 75 08 78 08 f7 1d 9b dc 6b cb 0a ea f2 8b 19 bf 99 78 b9 82 ba ce 22 33 4f 4a a8 df 50 78 ae 76 77 2e c7 9b 5e 2d 28 67 32 da c8 c9 75 cd d4 a5 2b c1 10 eb 1d a0 33 0d 98 9e 44 f7 6b a9 c6 24 31 3d 1d f1 ea e8 ae 1d d5 84 1f af 15 26 fb 4f bb 25 b9 52 6e f5 a0 8a 0a 49 0e 48 3c 5c 38 d3 13 33 ca aa 9b 5c 35 3f 78 1b f1 19 e1 c2 70 4c e8 73 36 6b 7d d5 d3 6e a4 5e 14 85 a9 0e a1 79 e7 e2 8f d9 fc 87 1e 17 08 2a d3 a7 57 64 02 f2 1f 97 3a 75 05 d6 39 26 05 29 1b 93 de cb 73 67 b8 04 d4 23 37 bf be 0b 34 b2 74 c4 1a 80 c5 9c f5 2b 45 c2 a1 ce 66 f8 cd ce 41 e1 68 9b cb 45 74 60 87 17 b6 fb c9 69 56 c1 7a 75 a6 b6 91 7f 35 28 62 b3 15 0a 3e 77 0b 6c 3f 72 6d c5 b0 62 4a 85 0a 39 54 4a ef 82 78 65 a5 12 89 42 79 18 c4 79 f5 96 4f 76 46 06 c0 e9 22 30 34 84 0f 92 48 07 52 c5 04 c3 48 b7 3d 91 25 be 7c 16 c4 5c 8e 36 d9 7c b3 67 c3 ee a4 67 3b c7 e0 1b 96 44 60 0c 7d 11 6b 01 27 8e 7a 90 1b 83 03 37 9c a1 29 61 04 de ac b2 d8 3c bd 20 60 c8 95 74 8e 89 0b 2c 61 df 2b c0 7e a4 4e 45 3a c3 e4 a8 39 be bb a7 31 20 93 97 a0 a0 b5 7f c7 d6 91 0a 5b 86 18 74 2a fd 7d c4 1d 22 3f b3 3c 56 73 d8 fb 5b 8e 2d a5 e4 07 39 88 5c 2a 6a 3f c8 6c 1d b5 c6 8b f1 be 7f d6 a1 5e 5c 47 ac 65 d7 73 d2 71 71 f5 9a 3d cf 2c e5 1c c6 eb 8c b4 45 e1 0c a1 e8 35 b7 e5 04 54 25 1f 83 1f fd 39 ae 07 62 90 48 e8 f7 cb 93 3c 91 5f fc 84 dd 7a 0b 01 a2 11 6a c4 f4 14 70 65 48 60 21 09 b6 10 7d 2d 97 87 bb 75 c3 0a b7 49 aa 57 7d 10 a3 15 a6 91 59 62 2a 44 9f c7 bd f3 a8 72 60 9d b9 c7 f5 9f d8 aa df 2d 16 2b 15 a2 69 39 7a 26 8a de 9b 6d a1 a2 c6 90 63 f8 37 1d 10 4c e1 29 af 9e 05 fd 3c 1d 17 7a 41 32 b4 77 40 0c 0d a9 bb 8d b7 ba 7a 5d 98 53 fb e6 7e 09 8e 0a 3c cc 99 ef 15 b1 4e ad b0 11 b9 de 26 5d f2 f9 c7 72 49 b9 46 de b0 e4 d6 76 f2 a0 8a fb b2 52 12 6e db 9e e3 84 21 7a 72 ba 59 c6 34 4f 12 9b f7 e0 4c 77 d7 c6 6b a2 99 f6 d9 6b d5 7d 23 04 ce ad 8d 9f 18 aa 9d 74 59 68 c0 42 f7 92 c7 6b 71 4b 65 e4 cd a0 29 e1 92 05 21 d8 c4 ea 8d c1 30 94 87 ab c7 50 14 15 85 86 d2 a0 15 15 e6 d9 f5 12 d8 d4 a1 58 7f b8 41 0e ad df bc 0d a8 ce 32 04 e4 8a 84 7f ee 75 29 7d da 25 86 c8 da 42 6f db 62 73 41 5e f7 ed 15 15 42 fb e6 ea 35 c4 50 ad 56 45 8b 79 53 2b f9 92 ee 64 4c 1b b5 4a fd 76 6a 6c fb 4d d2 a0 9c 79 25 c8 b5 17 5b 8c 8a cb 65 8f b5 89 0b e4 24 b9 de 24 ba 24 c5 b3 95 c4 4e 52 85 c0 ad 92 ff 22 8e ec f3 62 37 33 ba d7 2b ac 7b 1d f7 ef 6c cd 5f 21 5d 0c 2c 91 ae 02 4e a1 c7 4d 32 1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:28:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:30:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:30:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1475801434.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: http://jedwatson.github.io/classnames
Source: explorer.exe, 00000002.00000000.1473694819.0000000004405000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.0000000003304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/
Source: explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/application/x-www-form-urlencodedMozilla/5.0
Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.0000000003304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2373953881.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2347347955.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3927428692.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3928236257.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3928453017.0000000003297000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3926853756.0000000000859000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3928965249.00000000033D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/index.php
Source: explorer.exe, 0000000D.00000003.3028814712.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2721237512.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3328845519.0000000005270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/index.php.
Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2347347955.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3927428692.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3928236257.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3928453017.0000000003297000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3926853756.0000000000859000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3928965249.00000000033D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/index.phpMozilla/5.0
Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/index.phpn
Source: explorer.exe, 00000007.00000002.2375965405.00000000032C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org/ndex.php
Source: explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://quantumqube.org:80/index.phpcrosoft
Source: explorer.exe, 00000002.00000000.1474886102.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1474899724.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1473187872.0000000002C80000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: http://underscorejs.org/LICENSE
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.1475801434.0000000009237000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000002.00000000.1474139705.000000000702D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: https://github.com/jsstyles/css-vendor
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: https://lodash.com/
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: https://lodash.com/license
Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.dr String found in binary or memory: https://openjsf.org/
Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1478526429.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED

E-Banking Fraud
barindex
Checks if browser processes are running
Source: C:\Windows\SysWOW64\explorer.exe Code function: StrStrIA, chrome.exe|opera.exe|msedge.exe 9_2_03222EA8
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe 9_2_03223862
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe 9_2_03223862
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe 9_2_03223862
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe 9_2_03223862

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
PE file has a writeable .text section
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: hfetwhc.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_00402600 NtOpenKey,NtEnumerateKey,NtEnumerateKey,NtClose, 0_2_00402600
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_00402FFC RtlCreateUserThread,NtTerminateProcess, 0_2_00402FFC
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_00401597 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401597
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_0040250F NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_0040250F
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015C6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015C6
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015C9 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015C9
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004032DC NtTerminateProcess,RtlInitUnicodeString,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower, 0_2_004032DC
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004022DE NtQuerySystemInformation, 0_2_004022DE
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_00402595 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_00402595
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015A2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015A2
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004022A8 NtQuerySystemInformation, 0_2_004022A8
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015AE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015AE
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004023B0 NtQuerySystemInformation,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_004023B0
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015B2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015B2
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004015B5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E4B92 RtlMoveMemory,NtUnmapViewOfSection, 7_2_007E4B92
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E33C3 NtQueryInformationFile, 7_2_007E33C3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E342B NtQueryObject,NtQueryObject,RtlMoveMemory, 7_2_007E342B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle, 7_2_007E349B
Source: C:\Windows\explorer.exe Code function: 8_2_00A338B0 NtUnmapViewOfSection, 8_2_00A338B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03223D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection, 9_2_03223D8D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03222E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW, 9_2_03222E1B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03221FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 9_2_03221FE5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03221F4E NtCreateSection,NtMapViewOfSection, 9_2_03221F4E
Source: C:\Windows\explorer.exe Code function: 10_2_00D95300 NtUnmapViewOfSection, 10_2_00D95300
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_03001016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 11_2_03001016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_03001A80 NtCreateSection,NtMapViewOfSection, 11_2_03001A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_03001819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 11_2_03001819
Source: C:\Windows\explorer.exe Code function: 12_2_0080355C NtUnmapViewOfSection, 12_2_0080355C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C1F82 RtlMoveMemory,NtUnmapViewOfSection, 13_2_030C1F82
Detected potential crypto function
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004032DC 0_2_004032DC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E2198 7_2_007E2198
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007EC2F9 7_2_007EC2F9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007FB35C 7_2_007FB35C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00834438 7_2_00834438
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007FB97E 7_2_007FB97E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E6E6A 7_2_007E6E6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00805F08 7_2_00805F08
Source: C:\Windows\explorer.exe Code function: 8_2_00A31E20 8_2_00A31E20
Source: C:\Windows\explorer.exe Code function: 10_2_00D92C00 10_2_00D92C00
Source: C:\Windows\explorer.exe Code function: 12_2_00802054 12_2_00802054
Source: C:\Windows\explorer.exe Code function: 12_2_00802860 12_2_00802860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030CEA1C 13_2_030CEA1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030CFAB4 13_2_030CFAB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C3DE2 13_2_030C3DE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C4445 13_2_030C4445
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030CC452 13_2_030CC452
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C80F6 13_2_030C80F6
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 007E7F70 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 030C8F30 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 007E8801 appears 40 times
PE file does not import any functions
Source: WalletService.dll.mui.13.dr Static PE information: No import functions for PE file found
Source: hfetwhc.2.dr Static PE information: No import functions for PE file found
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: hfetwhc.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: hfetwhc.2.dr Static PE information: Section .text
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: Section .text
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winEXE@17/55@3/2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03223BE1 wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, 9_2_03223BE1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E4440 CoCreateInstance,SysAllocString,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,wsprintfW, 7_2_007E4440
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hfetwhc Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\BD1F.tmp Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C96A.tmp.7.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe "C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\hfetwhc C:\Users\user\AppData\Roaming\hfetwhc
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\hfetwhc C:\Users\user\AppData\Roaming\hfetwhc
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: WalletProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: walletservice.pdbGCTL source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WalletProxy.pdb source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xy.pdb source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WalletBackgroundServiceProxy.pdb source: explorer.exe, 0000000D.00000003.2700964728.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
Source: Binary string: WalletBackgroundServiceProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
Source: Binary string: xy.pdbGCT.r source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: walletservice.pdb source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xy.pdbGCT.orp source: explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: WalletService.dll1.13.dr Static PE information: 0xACABE18A [Wed Oct 19 11:05:46 2061 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00849247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 7_2_00849247
PE file contains sections with non-standard names
Source: Windows.ApplicationModel.Wallet.dll.13.dr Static PE information: section name: .didat
Source: WalletService.dll1.13.dr Static PE information: section name: .didat
Source: Windows.ApplicationModel.Wallet.dll2.13.dr Static PE information: section name: .didat
Source: Windows.ApplicationModel.Wallet.dll5.13.dr Static PE information: section name: .didat
Source: Windows.ApplicationModel.Wallet.dll6.13.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004032DC push ebp; iretd 0_2_00403485
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Code function: 0_2_004032DC push edx; retn EC8Bh 0_2_004035B1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05C99719 push eax; ret 7_3_05C99725
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
Source: C:\Windows\explorer.exe Code function: 8_2_00A3B124 push ebp; retf 8_2_00A3B12B
Source: C:\Windows\explorer.exe Code function: 8_2_00A3B12C push ebp; retf 8_2_00A3B133
Source: C:\Windows\explorer.exe Code function: 8_2_00A3A055 push es; iretd 8_2_00A3A05D
Source: C:\Windows\explorer.exe Code function: 8_2_00A347A7 push esp; iretd 8_2_00A347A8
Source: C:\Windows\explorer.exe Code function: 8_2_00A34124 push esi; retf 8_2_00A34143
Source: C:\Windows\explorer.exe Code function: 8_2_00A340AC push esi; retf 8_2_00A340BB
Source: C:\Windows\explorer.exe Code function: 8_2_00A340BC push esi; retf 8_2_00A340C3
Source: C:\Windows\explorer.exe Code function: 8_2_00A34001 push esi; retf 8_2_00A34063
Source: C:\Windows\explorer.exe Code function: 8_2_00A31405 push esi; ret 8_2_00A31407
Source: C:\Windows\explorer.exe Code function: 8_2_00A34084 push esi; retf 8_2_00A3409B
Source: C:\Windows\explorer.exe Code function: 8_2_00A34104 push ebp; retf 8_2_00A3411B
Source: C:\Windows\explorer.exe Code function: 8_2_00A3409C push ebp; retf 8_2_00A340AB
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Static PE information: section name: .text entropy: 7.0440254923492915
Source: hfetwhc.2.dr Static PE information: section name: .text entropy: 7.0440254923492915
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hfetwhc Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\hfetwhc Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\hfetwhc:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, 9_2_03223862
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, 9_2_03223862
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe API/Special instruction interceptor: Address: 7FFBCB7AD584
Source: C:\Users\user\AppData\Roaming\hfetwhc API/Special instruction interceptor: Address: 7FFBCB7AE814
Source: C:\Users\user\AppData\Roaming\hfetwhc API/Special instruction interceptor: Address: 7FFBCB7AD584
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, hfetwhc.2.dr Binary or memory string: SBIEDLLASWHOOKSNXHK^
Source: hfetwhc, hfetwhc, 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, hfetwhc, 00000010.00000000.3773952880.0000000000401000.00000080.00000001.01000000.00000005.sdmp, 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, hfetwhc.2.dr Binary or memory string: ASWHOOK
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, 9_2_03223862
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 484 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2501 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 802 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 351 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1805 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 876 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 873 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 4144 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3727 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 4037 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 3635 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 2602 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4124 Thread sleep count: 484 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2288 Thread sleep count: 2501 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2288 Thread sleep time: -250100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2464 Thread sleep count: 802 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2464 Thread sleep time: -80200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4132 Thread sleep count: 313 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3428 Thread sleep count: 335 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3428 Thread sleep time: -33500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 964 Thread sleep count: 351 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 964 Thread sleep time: -35100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2288 Thread sleep count: 1805 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2288 Thread sleep time: -180500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6556 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5436 Thread sleep count: 4144 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5436 Thread sleep time: -4144000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6016 Thread sleep count: 3727 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6016 Thread sleep time: -3727000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5212 Thread sleep count: 4037 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5212 Thread sleep time: -4037000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6288 Thread sleep count: 3635 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6288 Thread sleep time: -3635000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5728 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5676 Thread sleep count: 2602 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5676 Thread sleep time: -1561200000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5676 Thread sleep time: -600000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose, 7_2_007E2B15
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose, 7_2_007E1D4A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose, 7_2_007E3ED9
Source: C:\Windows\explorer.exe Code function: 8_2_00A330A8 FindFirstFileW,FindNextFileW,FindClose, 8_2_00A330A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 9_2_032215BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose, 9_2_032213FE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_032214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 9_2_032214D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C2240 FindFirstFileW,FindNextFileW,FindClose, 13_2_030C2240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C18E0 lstrcatW,lstrcatW,PathCombineW,lstrcatW,PathRemoveFileSpecW,FindFirstFileExW,lstrcmpiW,PathCombineW,PathCombineW,FindNextFileW,FindClose, 13_2_030C18E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C20C1 FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 13_2_030C20C1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C1A96 GetTempPathW,GetTempFileNameW,DeleteFileW,PathRemoveExtensionW,StrRChrW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,StrStrIW,SHGetFolderPathW,PathFindFileNameW,PathAppendW,ExpandEnvironmentStringsW, 13_2_030C1A96
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E6512 GetSystemInfo, 7_2_007E6512
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wu8T4pTb6lB/S4575QEMucJCA6t2SIK8JRkixF4YO6ZIn2ECrfxnkHDBpze1yCdc
Source: CB6F.tmp.7.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: explorer.exe, 0000000D.00000003.3028944586.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3331097674.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2720681255.00000000052D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: explorer.exe, 00000002.00000000.1475801434.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: CB6F.tmp.7.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: CB6F.tmp.7.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: CB6F.tmp.7.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /58dkNNZeUbpzKEqNMgIfedN5t07OwVaUYdUvHAi1Vmci+AyDoG5YM9Sp6Avz8GZ
Source: CB6F.tmp.7.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: CB6F.tmp.7.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3328845519.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2720681255.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3929873885.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3337698366.00000000052C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nN4Ob0EdihPikyg9/f2Ijp9YtJyWtm9Pt4bjD4m2I+TQnlE0jQEmu/HiZX58CXfr
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: F7Y4Jb8TGC2Y9elc4Q+PXVFeaNGLOMyeQu+4D4TZJIj9HVFJJRHoqeMUzmixNUIE
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: CB6F.tmp.7.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: CB6F.tmp.7.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X0965qmFJYZTMZgkPxQrSMr0mnDTzq3h/B4LcIPnwQnvFDEojVMCisheyqbiKRaU
Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: CB6F.tmp.7.dr Binary or memory string: global block list test formVMware20,11696494690
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qnJ9IBIqERRPYObzqzCR4E2Pno4vEQK5S3ZmJvdJxxHaOiUt87o3qzu/N3hgfsJy
Source: CB6F.tmp.7.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: CB6F.tmp.7.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: CB6F.tmp.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: CB6F.tmp.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MV5B3gKLZfBeiIIkOrqzjInc/BDc3VmciZVyyZuAhLdyfok7kfwJgNXGoXAflaSi
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: CB6F.tmp.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: explorer.exe, 00000002.00000000.1475801434.0000000009330000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CB6F.tmp.7.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: CB6F.tmp.7.dr Binary or memory string: discord.comVMware20,11696494690f
Source: CB6F.tmp.7.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CtMruuE88zUegpohoAYRJ5dRE/S0A+7zN9dr9JB5J+VR6hgFS0rtauc+i0GQp33G
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Tp1R+vlrD1IQbQGaqeMUcxBijXs2eD8iAol/tEQCxHEjuBNMhnlsJ+8L3PKFV9ij
Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRpxBXUnPrQ1RF72qpFNThLnlIDIyFvDGaGgj/xA5nx96U1DmUZuNQemu+yD60k5
Source: CB6F.tmp.7.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: CB6F.tmp.7.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: CB6F.tmp.7.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CB6F.tmp.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: CB6F.tmp.7.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: CB6F.tmp.7.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UFrfpwV8tVMcIS3xoTFuj5TBeDaN1/q2SnijhlCzHbMQcma6JLlAb89jwcbHadsp
Source: CB6F.tmp.7.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: paL2NRvMCI0MgIwk3w9na8CLQs89jm8ml68lWff74o5sWe0hB35mVASi9cjw6Zgw
Source: CB6F.tmp.7.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zky1YUFElgKHOKZFDPrTGaZ3KIn1xbublyxGLQWkIU8BbnmvMCihnACmZs/Ixgls
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +OqVKFUapLs7dkeBTUj/LDdQgceC7O/XE2zjxph4fHgFSuPx5NkzZn5ezpms5G2K
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CaCmYyEidjs0HgLkCOUXz5yRIveOPVo422YPEhU7nqvMCiRtQKO+fno8bUejgrcf
Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gx68nznXX4ETXERyNzBanQ0q7UQgKLfP7RE0ac2eJR3AHGFsyJ8lQsVMECkiBNTX
Source: C:\Windows\SysWOW64\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc System information queried: CodeIntegrityInformation Jump to behavior
Found API chain indicative of debugger detection
Source: C:\Windows\SysWOW64\explorer.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03221E4C CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock, 9_2_03221E4C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030CCBFA IsDebuggerPresent, 13_2_030CCBFA
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030CE15A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 13_2_030CE15A
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, 9_2_03223862
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_00849247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 7_2_00849247
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E1011 GetProcessHeap,RtlFreeHeap, 7_2_007E1011
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_030C8DF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_030C8DF5

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: hfetwhc.2.dr Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Thread created: C:\Windows\explorer.exe EIP: BE19D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Thread created: unknown EIP: 80E19D0 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 1868 base: A579C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 2500 base: 7FF62D872D10 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3424 base: A579C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 2976 base: 7FF62D872D10 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 7064 base: A579C0 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 6984 base: 7FF62D872D10 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5440 base: A579C0 value: 90 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\hfetwhc Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: A579C0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: A579C0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: A579C0 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: A579C0 Jump to behavior
Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1473970077.00000000044D0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1475801434.000000000936E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd]1Q
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_008355EB cpuid 7_2_008355EB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E2112 GetSystemTimeAsFileTime,_alldiv,wsprintfA, 7_2_007E2112
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_007E2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary, 7_2_007E2198

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527171 Sample: 172823964570053a59b24ac6432... Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 42 quantumqube.org 2->42 44 innovixus.org 2->44 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 8 other signatures 2->64 8 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe 2->8         started        11 hfetwhc 2->11         started        13 hfetwhc 2->13         started        signatures3 process4 signatures5 76 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->76 78 Maps a DLL or memory area into another process 8->78 80 Checks if the current machine is a virtual machine (disk enumeration) 8->80 15 explorer.exe 65 10 8->15 injected 82 Multi AV Scanner detection for dropped file 11->82 84 Creates a thread in another existing process (thread injection) 11->84 86 Switches to a custom stack to bypass stack traces 11->86 process6 dnsIp7 46 innovixus.org 198.54.117.242, 443, 49718, 49719 NAMECHEAP-NETUS United States 15->46 48 quantumqube.org 194.87.189.87, 443, 49714, 49715 AS-REGRU Russian Federation 15->48 30 C:\Users\user\AppData\Roaming\hfetwhc, PE32 15->30 dropped 32 C:\Users\user\...\hfetwhc:Zone.Identifier, ASCII 15->32 dropped 50 Benign windows process drops PE files 15->50 52 Injects code into the Windows Explorer (explorer.exe) 15->52 54 Deletes itself after installation 15->54 56 2 other signatures 15->56 20 explorer.exe 20 15->20         started        23 explorer.exe 15->23         started        25 explorer.exe 103 15->25         started        28 4 other processes 15->28 file8 signatures9 process10 file11 66 Found evasive API chain (may stop execution after checking mutex) 20->66 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->68 70 Tries to steal Mail credentials (via file / registry access) 20->70 74 3 other signatures 20->74 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 34 C:\...\Windows.ApplicationModel.Wallet.dll, PE32 25->34 dropped 36 C:\Users\user\AppData\...\WalletProxy.dll, PE32 25->36 dropped 38 C:\Users\...\WalletBackgroundServiceProxy.dll, PE32 25->38 dropped 40 11 other files (none is malicious) 25->40 dropped signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.87.189.87
 quantumqube.org Russian Federation
197695 AS-REGRU true
198.54.117.242
 innovixus.org United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
innovixus.org 198.54.117.242 true
quantumqube.org 194.87.189.87 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://quantumqube.org/index.php true
    		unknown
    https://quantumqube.org/index.php true
      		unknown
      http://innovixus.org/index.php true
        		unknown
        https://innovixus.org/index.php true
          		unknown