Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49708 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49709 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49710 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49711 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49712 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49713 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49714 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49715 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49717 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49718 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49719 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49720 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49721 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49722 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49723 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49724 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49725 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49726 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49727 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49728 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49729 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49730 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49731 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49732 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49733 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49734 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49735 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49736 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49737 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49738 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49739 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49740 -> 187.211.208.213:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49741 -> 2.180.10.7:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49742 -> 2.180.10.7:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49743 -> 2.180.10.7:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49744 -> 2.180.10.7:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49745 -> 2.180.10.7:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.9:49746 -> 2.180.10.7:80 |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pupsyyqhnyuu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://knxhgptouprbniih.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emyurlqcjjyj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejbjebnoyfri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bwysdrtpablfgl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uofkobqxixbfk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcuywombggrafjib.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynktcenwpam.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvmhklgullnvt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 340Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rvkwbvhuhtjbr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://momncwwqinyqtp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://roylvkurbui.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wpiwrcrirxduh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oihhrvgcybvcsuxi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rrqnkwtyoabmogph.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edieevlfgkkls.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jmclafrxoobmieku.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kypbrgoejmtypjld.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gmnbaopyagukh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nfhkllysrbr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lyvyflfisyah.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://arpnixxgabsm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fqsxiiurjreg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aejfdfxpfervxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fmuksxchfhia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cwgamrfxlonyha.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://icollummmgr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xadirvaessjoufrs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nycxtrjfegyhmkwh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nlprikrcsqcwcx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://goxggajhtahiors.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqiladfddekdv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fwfgljdxisppjhs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wwlupdikxjrxjim.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pllsurjetsi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgejyfixlvh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vesjqmoimso.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dafyvrphumoidoi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: nidoe.org |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di |
Source: explorer.exe, 00000007.00000000.1349386300.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1350900086.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1351425713.00000000082D0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: explorer.exe, 00000007.00000000.1355240359.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.micros1D |
Source: explorer.exe, 00000007.00000000.1351529116.00000000085D0000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BD22000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp( |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOS |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOSJM |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOSZM |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BE32000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOSp |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/rT |
Source: explorer.exe, 00000007.00000000.1351615775.000000000862F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$ |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/~T |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1349498186.0000000002F10000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://arc.msn.com |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8 |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://excel.office.com |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://outlook.com |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.com |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000007.00000000.1351615775.000000000899E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://wns.windows.com/bat |
Source: explorer.exe, 00000007.00000000.1353996410.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://word.office.com |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in- |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its- |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch- |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/ |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09 |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com:443/en-us/feed |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.stacker.com/arizona/phoenix |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.yelp.com |
Source: 0000000B.00000002.1602547599.0000000002620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000001.00000002.1361119076.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 0000000E.00000002.2342305962.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000001.00000002.1360962326.0000000000B1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 0000000E.00000002.2346010984.0000000000E22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 0000000B.00000002.1602463145.0000000000C4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_004013ED |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_00401507 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_00401518 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, |
1_2_0040141C |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_0040151C |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, |
1_2_0040142C |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004032D5 RtlInitUnicodeString,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, |
1_2_004032D5 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_004014E2 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, |
1_2_004013EC |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
1_2_004014ED |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, |
1_2_004013F9 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00402381 NtQuerySystemInformation, |
1_2_00402381 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_004013ED |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_00401507 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_00401518 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, |
11_2_0040141C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_0040151C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, |
11_2_0040142C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004032D5 RtlInitUnicodeString,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower, |
11_2_004032D5 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_004014E2 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, |
11_2_004013EC |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
11_2_004014ED |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, |
11_2_004013F9 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00402381 NtQuerySystemInformation, |
11_2_00402381 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004013ED NtAllocateVirtualMemory,GlobalAlloc,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_004013ED |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_00401507 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_00401518 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_0040141C NtAllocateVirtualMemory,GlobalAlloc, |
14_2_0040141C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_0040151C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_0040142C NtAllocateVirtualMemory,GlobalAlloc, |
14_2_0040142C |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_004014E2 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004013EC NtAllocateVirtualMemory,GlobalAlloc, |
14_2_004013EC |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,LoadLibraryA,NtMapViewOfSection,NtMapViewOfSection, |
14_2_004014ED |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004013F9 NtAllocateVirtualMemory,GlobalAlloc, |
14_2_004013F9 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00402381 NtQuerySystemInformation, |
14_2_00402381 |
Source: 0000000B.00000002.1602547599.0000000002620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 0000000B.00000002.1602661016.0000000002761000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 0000000E.00000002.2342383112.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000001.00000002.1361119076.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 0000000E.00000002.2342305962.0000000000C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000001.00000002.1361136760.0000000002730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000001.00000002.1360962326.0000000000B1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 0000000E.00000002.2346010984.0000000000E22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000001.00000002.1361171360.0000000002751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 0000000B.00000002.1602463145.0000000000C4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 0000000E.00000002.2345420365.0000000000DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 0000000B.00000002.1602567802.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00401205 push ecx; iretd |
1_2_00401211 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00401735 push eax; retf |
1_2_00401737 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_004031E3 push eax; ret |
1_2_004032BE |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00B2C9B9 push edx; ret |
1_2_00B2C9BE |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00B293DA push cs; retf |
1_2_00B293DB |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00B25C37 push ecx; iretd |
1_2_00B25C43 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_00B2C644 push edx; retf |
1_2_00B2C645 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Code function: 1_2_0272126C push ecx; iretd |
1_2_02721278 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00401205 push ecx; iretd |
11_2_00401211 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00401735 push eax; retf |
11_2_00401737 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_004031E3 push eax; ret |
11_2_004032BE |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00C5518F push ecx; iretd |
11_2_00C5519B |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00C5BB9C push edx; retf |
11_2_00C5BB9D |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00C5BF11 push edx; ret |
11_2_00C5BF16 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_00C58932 push cs; retf |
11_2_00C58933 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 11_2_0262126C push ecx; iretd |
11_2_02621278 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00401205 push ecx; iretd |
14_2_00401211 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00401735 push eax; retf |
14_2_00401737 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_004031E3 push eax; ret |
14_2_004032BE |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00C7126C push ecx; iretd |
14_2_00C71278 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00E2DBDA push cs; retf |
14_2_00E2DBDB |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00E311B9 push edx; ret |
14_2_00E311BE |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00E30E44 push edx; retf |
14_2_00E30E45 |
Source: C:\Users\user\AppData\Roaming\twiufas |
Code function: 14_2_00E2A437 push ecx; iretd |
14_2_00E2A443 |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\YWwcRHSpbw.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\twiufas |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: explorer.exe, 00000007.00000000.1350273360.0000000007065000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000007.00000000.1351615775.000000000888E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}= |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008979000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00` |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: NXTVMWare |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008796000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWe |
Source: explorer.exe, 00000007.00000000.1351615775.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O |
Source: explorer.exe, 00000007.00000000.1351615775.00000000087C0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d |
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000 |
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l |
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 |
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000007.00000000.1348844310.0000000000A44000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000007.00000000.1351615775.00000000088E6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 |