Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.430008393.0000000008E30000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220/ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220/1760 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220/1760jf. |
Source: 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220/update.zip |
Source: 5GPueTFF2S.exe, 00000000.00000003.385525417.000000000CCC0000.00000040.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.431582702.000000000B030000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:8 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:80 |
Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:80/update.zip |
Source: 5GPueTFF2S.exe, 00000000.00000002.422509988.00000000005AC000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:80/update.zipb1ef1c57276c118008692-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963 |
Source: 5GPueTFF2S.exe, 00000000.00000002.425200801.0000000002A90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:801760 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://135.181.10.220:80https://t.me/vmt001hello2092;open_open |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://135ple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe |
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: 5GPueTFF2S.exe, 00000000.00000002.424393747.00000000028CA000.00000040.00000800.00020000.00000000.sdmp | String found in binary or memory: http://mIkUB7ZDt5qfxou902VyKe64v30McOy.LnrmXFtSK2Pynk6VWBPG5Sf1w0AavRp1BVjmQQUkh2vmJkxEZO5UQQZNHAms9 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://mikub7zdt5qfxou902vyke64v30mcoy.lnrmxftsk2pynk6vwbpg5s/ |
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exe |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ripple-wells-2022.net/yzoyoebw6fqrey/nppshell.exerO |
Source: 5GPueTFF2S.exe | String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: 5GPueTFF2S.exe | String found in binary or memory: http://s.symcd.com06 |
Source: 5GPueTFF2S.exe | String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: 5GPueTFF2S.exe | String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: 5GPueTFF2S.exe | String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: 39866407027900499026559352.0.dr | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: 39866407027900499026559352.0.dr | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: 5GPueTFF2S.exe | String found in binary or memory: https://d.symcb.com/cps0% |
Source: 5GPueTFF2S.exe | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: 5GPueTFF2S.exe | String found in binary or memory: https://d.symcb.com/rpa0. |
Source: 39866407027900499026559352.0.dr | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: 39866407027900499026559352.0.dr | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: 75873290272674793137.exe, 00000001.00000003.430764953.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, cred64[1].dll.7.dr, 75873290272674793137.exe.0.dr, gntuud.exe.1.dr | String found in binary or memory: https://sectigo.com/CPS0 |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://t.me/vmt001 |
Source: 5GPueTFF2S.exe, 00000000.00000003.395141799.0000000008DF0000.00000004.00000800.00020000.00000000.sdmp, 39866407027900499026559352.0.dr | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown |
Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown |
Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown |
Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown |
Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR | Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: @]topACL |
Source: nppshell[1].exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: nppshell[1].exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: nppshell[1].exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: nppshell[1].exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: nppshell[1].exe.0.dr | Static PE information: section name: @]topACL |
Source: gntuud.exe.1.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.1.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.1.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.1.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.1.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.1.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.1.dr | Static PE information: section name: @]topACL |
Source: cred64[1].dll.7.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.7.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.7.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.7.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.7.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.7.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.7.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.7.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.7.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.7.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.7.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.7.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.7.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.7.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.7.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.7.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.7.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.7.dr | Static PE information: section name: Uh%r6i!H |
Source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23 |
Source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23 |
Source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23 |
Source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23 |
Source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR | Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC35E0 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC81D0 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC7BB0 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC6091 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC4269 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC6072 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC6023 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC603D |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECAF98 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC3F9A |
Source: unknown | Process created: C:\Users\user\Desktop\5GPueTFF2S.exe C:\Users\user\Desktop\5GPueTFF2S.exe |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe" |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\ProgramData\75873290272674793137.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe" |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit |
Source: C:\ProgramData\75873290272674793137.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0 |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d)) |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx)); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: 42740063057692746811967690.0.dr | Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: 5GPueTFF2S.exe, 00000000.00000002.427389587.0000000008C22000.00000004.00000800.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.443932645.000000006096F000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
Source: C:\Windows\SysWOW64\rundll32.exe | Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_01 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_01 |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: EVjKc_MI |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: 75873290272674793137.exe.0.dr | Static PE information: section name: @]topACL |
Source: nppshell[1].exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: nppshell[1].exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: nppshell[1].exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: nppshell[1].exe.0.dr | Static PE information: section name: EVjKc_MI |
Source: nppshell[1].exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: nppshell[1].exe.0.dr | Static PE information: section name: @]topACL |
Source: gntuud.exe.1.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.1.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.1.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.1.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.1.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.1.dr | Static PE information: section name: EVjKc_MI |
Source: gntuud.exe.1.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.1.dr | Static PE information: section name: @]topACL |
Source: cred64[1].dll.7.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.7.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.7.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.7.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.7.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.7.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.7.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.7.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.7.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.7.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.7.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.7.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.7.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.7.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.7.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.7.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.7.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.7.dr | Static PE information: section name: Uh%r6i!H |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, |
Source: C:\ProgramData\75873290272674793137.exe | Memory written: PID: 6132 base: 640005 value: E9 FB 99 72 77 |
Source: C:\ProgramData\75873290272674793137.exe | Memory written: PID: 6132 base: 77D69A00 value: E9 0A 66 8D 88 |
Source: C:\ProgramData\75873290272674793137.exe | Memory written: PID: 6132 base: 7A0007 value: E9 7B 4C 60 77 |
Source: C:\ProgramData\75873290272674793137.exe | Memory written: PID: 6132 base: 77DA4C80 value: E9 8E B3 9F 88 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5292 base: 1030005 value: E9 FB 99 D3 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5292 base: 77D69A00 value: E9 0A 66 2C 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5292 base: 1040007 value: E9 7B 4C D6 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5292 base: 77DA4C80 value: E9 8E B3 29 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5956 base: 1290005 value: E9 FB 99 AD 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5956 base: 77D69A00 value: E9 0A 66 52 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5956 base: 2C40007 value: E9 7B 4C 16 75 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5956 base: 77DA4C80 value: E9 8E B3 E9 8A |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: EF0005 value: E9 FB 99 E7 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 77D69A00 value: E9 0A 66 18 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: F00007 value: E9 7B 4C EA 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 77DA4C80 value: E9 8E B3 15 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 32C0005 value: E9 FB BF A7 74 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 77D3C000 value: E9 0A 40 58 8B |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 32E0008 value: E9 AB E0 A9 74 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 77D7E0B0 value: E9 60 1F 56 8B |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 58A0005 value: E9 CB 5A D3 71 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 775D5AD0 value: E9 3A A5 2C 8E |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 58B0005 value: E9 5B B0 D4 71 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 775FB060 value: E9 AA 4F 2B 8E |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 58C0005 value: E9 DB F8 26 6F |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 74B2F8E0 value: E9 2A 07 D9 90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 58D0005 value: E9 FB 42 28 6F |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 74B54300 value: E9 0A BD D7 90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 77D3C000 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 775D5AD0 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 775FB060 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 74B2F8E0 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 5968 base: 74B54300 value: 8B FF 55 8B EC |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\ProgramData\75873290272674793137.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\ProgramData\75873290272674793137.exe | RDTSC instruction interceptor: First address: 00000000015B25FE second address: 00000000015D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A919E801h 0x00000008 call 00007F70A913D081h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A92EFF1Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | RDTSC instruction interceptor: First address: 00000000006E25FE second address: 00000000007033CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F70A8349041h 0x00000008 call 00007F70A82E78C1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F70A849A75Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe | RDTSC instruction interceptor: First address: 000000000559D526 second address: 000000000559D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe TID: 5852 | Thread sleep time: -30000s >= -30000s |
Source: C:\Windows\SysWOW64\timeout.exe TID: 4904 | Thread sleep count: 42 > 30 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672 | Thread sleep time: -780000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5924 | Thread sleep time: -50000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836 | Thread sleep time: -2520000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5928 | Thread sleep time: -1440000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4836 | Thread sleep time: -180000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5672 | Thread sleep time: -30000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 30000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 50000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 360000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 30000 |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW_^ |
Source: 5GPueTFF2S.exe, 00000000.00000002.429571864.0000000008DD0000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: |
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423133875.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 5GPueTFF2S.exe, 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\ProgramData\75873290272674793137.exe | Thread information set: HideFromDebugger |
Source: C:\ProgramData\75873290272674793137.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\SysWOW64\rundll32.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\SysWOW64\rundll32.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC35E0 _memset,GetProcAddress,KiUserExceptionDispatcher,CoInitialize,GetThreadUILanguage,TlsGetValue,GetSystemDefaultLangID,IsZoomed,FoldStringW,CoUninitialize,CoUninitialize,GetProcAddress,GetProcAddress,Sleep,OutputDebugStringW,SetLastError,GetLastError,GetLastError,SetLastError,GetConsoleCP,GetLastError,HeapCreate,GetProcAddress,Sleep,RtlAllocateHeap, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECBAFC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process queried: DebugPort |
Source: C:\ProgramData\75873290272674793137.exe | Process queried: DebugPort |
Source: C:\ProgramData\75873290272674793137.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\75873290272674793137.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\75873290272674793137.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\75873290272674793137.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECA6E1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECCEC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00EC91DC SetUnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Code function: 0_2_00ECD545 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\ProgramData\75873290272674793137.exe "C:\ProgramData\75873290272674793137.exe" |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\5GPueTFF2S.exe" & exit |
Source: C:\ProgramData\75873290272674793137.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\MultiDoge\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\MultiDoge\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???? |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\MultiDoge\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Electrum\wallets\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \ElectronCash\wallets\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Electrum\wallets\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420608823.00000000009F7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: window-state.json |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: exodus.conf.json |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Exodus\exodus.wallet\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: info.seco |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: ElectrumLTC |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \jaxx\Local Storage\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: passphrase.json |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Ethereum\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: exodus.conf.json |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: file__0.localstorage |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: default_wallet |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: Ethereum" |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Exodus\exodus.wallet\ |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: multidoge.wallet |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: seed.seco |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: keystore |
Source: 5GPueTFF2S.exe, 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: \Electrum-LTC\wallets\ |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: C:\Users\user\Desktop\5GPueTFF2S.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.a3f900.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.b070000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.a3f900.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.b070000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.b070000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.5GPueTFF2S.exe.a3f900.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.5GPueTFF2S.exe.a3f900.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000003.420692753.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.432090196.000000000B0A5000.00000002.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.423403008.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.387953405.000000000B070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 5GPueTFF2S.exe PID: 5848, type: MEMORYSTR |