Source: v04mldbd.exe.6852.2.memstr | Malware Configuration Extractor: Agenttesla {"Username: ": "ExiSLgKrA56omq", "URL: ": "http://flF3mJWUOO3.net", "To: ": "", "ByHost: ": "smtp.kpce-co.com:587", "Password: ": "OrTFHBY8O", "From: ": ""} |
Source: 2.2.v04mldbd.exe.400000.0.unpack | Avira: Label: TR/Spy.Gen8 |
Source: 2.2.v04mldbd.exe.4ca0000.4.unpack | Avira: Label: TR/Spy.Gen8 |
Source: 2.1.v04mldbd.exe.400000.0.unpack | Avira: Label: TR/Spy.Gen8 |
Source: | Binary string: wntdll.pdbUGP source: xidczjbzj.exe, 00000001.00000003.231926242.0000000004AD0000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: xidczjbzj.exe, 00000001.00000003.231926242.0000000004AD0000.00000004.00000001.sdmp |
Source: | Binary string: mscorrc.pdb source: v04mldbd.exe, 00000002.00000002.605383560.0000000000D10000.00000002.00000001.sdmp |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_004065C1 FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_004027A1 FindFirstFileA, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00404A29 FindFirstFileExW, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00404A29 FindFirstFileExW, |
Source: v04mldbd.exe, 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: v04mldbd.exe, 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp | String found in binary or memory: http://DpIPFD.com |
Source: v04mldbd.exe, 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://crl.globalsign.net/root-r3.crl0 |
Source: v04mldbd.exe, 00000002.00000002.607506755.0000000002BD2000.00000004.00000001.sdmp | String found in binary or memory: http://flF3mJWUOO3.net |
Source: HTG-9087650.exe | String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: HTG-9087650.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, v04mldbd.exe, 00000002.00000000.226659909.00000000004C9000.00000002.00020000.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: https://www.autoitscript.com/autoit3/ |
Source: nsx3578.tmp.0.dr | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: xidczjbzj.exe, 00000001.00000002.236016980.0000000004843000.00000004.00000001.sdmp, nsx3578.tmp.0.dr | String found in binary or memory: https://www.globalsign.com/repository/06 |
Source: xidczjbzj.exe, 00000001.00000002.232405939.0000000001190000.00000004.00000001.sdmp, v04mldbd.exe | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: v04mldbd.exe, 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011F2714 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0127D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004AB136 NtQuerySystemInformation, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004AB105 NtQuerySystemInformation, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00407272 |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00406A9B |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011F1663 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0120DD28 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01226502 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01278400 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011FB020 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0120D45D |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011F9C80 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011F94E0 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0121DBA5 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01226FE6 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0121BFD6 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0120F628 |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_012116B4 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_0040A2A5 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00E98310 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_054A0070 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_054A5B10 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_054AAFF0 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_054A9AB0 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_054A0017 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_0040A2A5 |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: xidczjbzj.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: v04mldbd.exe.1.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 2.2.v04mldbd.exe.4ca0000.4.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 2.2.v04mldbd.exe.4ca0000.4.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004AAFBA AdjustTokenPrivileges, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004AAF83 AdjustTokenPrivileges, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: unknown | Process created: C:\Users\user\Desktop\HTG-9087650.exe 'C:\Users\user\Desktop\HTG-9087650.exe' |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\syioy.pm |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\v04mldbd.exe C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\syioy.pm |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Process created: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\syioy.pm |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Process created: C:\Users\user\AppData\Local\Temp\v04mldbd.exe C:\Users\user\AppData\Local\Temp\xidczjbzj.exe C:\Users\user\AppData\Local\Temp\syioy.pm |
Source: | Binary string: wntdll.pdbUGP source: xidczjbzj.exe, 00000001.00000003.231926242.0000000004AD0000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: xidczjbzj.exe, 00000001.00000003.231926242.0000000004AD0000.00000004.00000001.sdmp |
Source: | Binary string: mscorrc.pdb source: v04mldbd.exe, 00000002.00000002.605383560.0000000000D10000.00000002.00000001.sdmp |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01218B75 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00401F16 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004A27A4 push esi; ret |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_05701FB8 push 6FE2C310h; ret |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00401F16 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01205EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe TID: 6952 | Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe TID: 6952 | Thread sleep count: 1050 > 30 |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe TID: 6952 | Thread sleep time: -31500000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe TID: 6952 | Thread sleep time: -30000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe TID: 6952 | Thread sleep time: -30000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_004065C1 FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_004027A1 FindFirstFileA, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00404A29 FindFirstFileExW, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00404A29 FindFirstFileExW, |
Source: v04mldbd.exe, 00000002.00000002.609497118.00000000055B0000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: v04mldbd.exe, 00000002.00000002.609497118.00000000055B0000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: v04mldbd.exe, 00000002.00000002.609497118.00000000055B0000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: v04mldbd.exe, 00000002.00000002.609497118.00000000055B0000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01225CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01225CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011819DD mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_011817DA mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_004035F1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_0121A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00401E1D SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00401E1D SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Code function: 2_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\xidczjbzj.exe | Code function: 1_2_01205EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
Source: xidczjbzj.exe, 00000001.00000002.236009405.0000000004835000.00000004.00000001.sdmp, v04mldbd.exe, 00000002.00000000.226633658.00000000004B6000.00000002.00020000.sdmp, nsx3578.tmp.0.dr | Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: xidczjbzj.exe, v04mldbd.exe, 00000002.00000002.605596563.0000000001250000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: v04mldbd.exe, 00000002.00000002.605596563.0000000001250000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: v04mldbd.exe, 00000002.00000002.605596563.0000000001250000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: v04mldbd.exe, 00000002.00000002.605596563.0000000001250000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: v04mldbd.exe, 00000002.00000002.605596563.0000000001250000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Users\user\Desktop\HTG-9087650.exe | Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: Yara match | File source: 00000002.00000002.609043006.0000000004CA2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.604206225.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000001.231786919.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.608368856.0000000003B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.608962931.0000000004C60000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.604739933.0000000000956000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.232405939.0000000001190000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: v04mldbd.exe PID: 6852, type: MEMORY |
Source: Yara match | File source: Process Memory Space: xidczjbzj.exe PID: 6824, type: MEMORY |
Source: Yara match | File source: 2.2.v04mldbd.exe.4ca0000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.4c60000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.4c60000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.xidczjbzj.exe.1190000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.1.v04mldbd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.xidczjbzj.exe.1190000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities |
Source: C:\Users\user\AppData\Local\Temp\v04mldbd.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Source: Yara match | File source: 00000002.00000002.609043006.0000000004CA2000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.604206225.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000001.231786919.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.608368856.0000000003B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.608962931.0000000004C60000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.604739933.0000000000956000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.607044229.0000000002B61000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.232405939.0000000001190000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: v04mldbd.exe PID: 6852, type: MEMORY |
Source: Yara match | File source: Process Memory Space: xidczjbzj.exe PID: 6824, type: MEMORY |
Source: Yara match | File source: 2.2.v04mldbd.exe.4ca0000.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.4c60000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.v04mldbd.exe.4c60000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.xidczjbzj.exe.1190000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.1.v04mldbd.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.xidczjbzj.exe.1190000.0.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.