Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49706 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49707 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49708 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49709 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49710 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49711 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49712 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49713 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49716 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49717 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49718 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49719 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49720 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49721 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49722 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49723 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49724 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49725 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49726 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49727 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49728 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49729 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49730 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49731 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49732 -> 175.119.10.231:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49733 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49734 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49735 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49736 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49737 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49738 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49739 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49740 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49741 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49742 -> 95.86.30.3:80 |
Source: Traffic |
Snort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.6:49743 -> 95.86.30.3:80 |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pnvlycbcghcgkrg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://guhupprhkfxteykm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://swykuolavcpkeu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cfpmhjbtnnspkr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcwcjwtgqtrk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eecygbqkuixd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gvpptbbjhqwtbt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://habidwgrhaptyh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fkfhpisoqfsv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 352Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://opponcvxitldw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lfwvuxydloyjiti.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gaduqfhesnk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://htwwypuseixblj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://chqqpchquyhotgm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xrirccluksou.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://loxowxqkfdy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 132Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfkknmjwnemmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 110Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgknnrdhkjobn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tlyylwwlslj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cljdrbjyegucspt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hsqaxvfmigrauoy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvkgstredaturd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xnkrseavrjhu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcoflffblunqqh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjhxhpxfxsas.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqqiwatcqnjc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xbaflojmyub.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhjwrvnjbebdsr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hpdqhjtffpefc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://paalhvtscxhk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hyqcvlmvqexo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://toqaaeutvgeyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dpucdofclcoryi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rihptgebjpcvg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rqqhdxchyrra.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: nidoe.org |
Source: global traffic |
HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pvwypqverqnt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: nidoe.org |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di |
Source: explorer.exe, 00000002.00000000.2113619525.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2116271105.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2116287304.0000000007B60000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: explorer.exe, 00000002.00000000.2117570355.00000000099AB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp |
Source: explorer.exe, 00000002.00000000.2119446650.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOS |
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/ |
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/I |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows? |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://arc.msn.com |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://excel.office.com- |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://outlook.come |
Source: explorer.exe, 00000002.00000000.2119446650.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.comEMd |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000002.00000000.2117570355.00000000099AB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://wns.windows.com/e |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C048000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://word.office.comM |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar- |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its- |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized- |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of- |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com:443/en-us/feed |
Source: 00000006.00000002.2363719760.00000000006D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.2127934835.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.2128058168.0000000000801000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000006.00000002.2363770795.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR |
Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004013ED |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_00401507 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_00401518 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_0040141C NtAllocateVirtualMemory, |
0_2_0040141C |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_0040151C |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_0040142C NtAllocateVirtualMemory, |
0_2_0040142C |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004014E2 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004013EC NtAllocateVirtualMemory, |
0_2_004013EC |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004014ED |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004013F9 NtAllocateVirtualMemory, |
0_2_004013F9 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00402381 NtQuerySystemInformation, |
0_2_00402381 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004013ED NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_004013ED |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_00401507 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_00401507 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_00401518 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_00401518 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_0040141C NtAllocateVirtualMemory, |
6_2_0040141C |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_0040151C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_0040151C |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_0040142C NtAllocateVirtualMemory, |
6_2_0040142C |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004014E2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_004014E2 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004013EC NtAllocateVirtualMemory, |
6_2_004013EC |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
6_2_004014ED |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004013F9 NtAllocateVirtualMemory, |
6_2_004013F9 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_00402381 NtQuerySystemInformation, |
6_2_00402381 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Section loaded: msimg32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Section loaded: msvcr100.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: windows.internal.shell.broker.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: windows.cloudstore.schema.shell.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: msvcp140.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Section loaded: msimg32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Section loaded: msvcr100.dll |
Jump to behavior |
Source: 00000006.00000002.2363719760.00000000006D1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.2127934835.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000006.00000002.2363788041.0000000002170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.2128140620.00000000021B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.2128058168.0000000000801000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000006.00000002.2363770795.0000000002160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000000.00000002.2127986796.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000006.00000002.2363822489.0000000002191000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR |
Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00401205 push ecx; iretd |
0_2_00401211 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00401735 push eax; retf |
0_2_00401737 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_004031E3 push eax; ret |
0_2_004032BE |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_006B126C push ecx; iretd |
0_2_006B1278 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_008057BB push ecx; iretd |
0_2_008057C7 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_0080C1C8 push edx; retf |
0_2_0080C1C9 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_0080C53D push edx; ret |
0_2_0080C542 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Code function: 0_2_00808F5E push cs; retf |
0_2_00808F5F |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_00401205 push ecx; iretd |
6_2_00401211 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_00401735 push eax; retf |
6_2_00401737 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_004031E3 push eax; ret |
6_2_004032BE |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_006DBF65 push edx; ret |
6_2_006DBF6A |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_006D51E3 push ecx; iretd |
6_2_006D51EF |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_006DBBF0 push edx; retf |
6_2_006DBBF1 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_006D8986 push cs; retf |
6_2_006D8987 |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Code function: 6_2_0216126C push ecx; iretd |
6_2_02161278 |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\2LksWs2xq7.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\thjwhdg |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3580 |
Thread sleep count: 437 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2996 |
Thread sleep count: 1065 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2996 |
Thread sleep time: -106500s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3976 |
Thread sleep count: 893 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3976 |
Thread sleep time: -89300s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 6556 |
Thread sleep count: 335 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 6444 |
Thread sleep count: 345 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 6444 |
Thread sleep time: -34500s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3236 |
Thread sleep count: 361 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3236 |
Thread sleep time: -36100s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2996 |
Thread sleep count: 3550 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2996 |
Thread sleep time: -355000s >= -30000s |
Jump to behavior |
Source: explorer.exe, 00000002.00000000.2117207484.000000000962B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv |
Source: explorer.exe, 00000002.00000000.2117570355.00000000097F3000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000 |
Source: explorer.exe, 00000002.00000000.2117207484.000000000973C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWws |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom |
Source: explorer.exe, 00000002.00000000.2117207484.0000000009605000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: NXTVMWare |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@ |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@] |
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000002.00000000.2117207484.000000000978C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W |
Source: explorer.exe, 00000002.00000000.2114459292.00000000073E5000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000 |
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6 |
Source: explorer.exe, 00000002.00000000.2119446650.000000000C354000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@r |
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 |
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 |
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D99000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: IProgram Manager |
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2114339773.00000000048E0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000002.00000000.2113323981.0000000000D69000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: +Progman |
Source: explorer.exe, 00000002.00000000.2113548191.00000000013A0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: explorer.exe, 00000002.00000000.2117570355.00000000098AD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd31A |