Click to jump to signature section
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A7759 CryptAcquireContextA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB9D1 CryptDeriveKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B01AF CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B035E CryptDestroyKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B056E CryptReleaseContext, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AF6E3 CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA75C CryptEncrypt,CryptEncrypt, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C2A13 CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AFA91 CryptExportKey,CryptExportKey, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A5B70 CryptBinaryToStringA, |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AEB1B CryptGenKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D96B6D8 CryptHashData,LoadLibraryW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D979484 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D980486 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D980CD9 CryptDestroyKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D987CD1 CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D99140C CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D97279D HttpSendRequestW,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D973F01 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D968F2B CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D9D9750 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D98AF62 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D9646B5 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D972EF8 GetProcAddress,CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D9EC13D CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D96C080 CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D97E812 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D989035 CryptReleaseContext, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D980283 CryptReleaseContext,GetProcAddress,GetProcAddress, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D987ADA CryptDeriveKey, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D96EAE5 CryptGetHashParam, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D98321F CryptHashData, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D971A58 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D9B6A70 CryptEncrypt, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D96CA64 CryptEncrypt, |
Source: 00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.309288628.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000000.00000002.309087545.0000000002254000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004FA0B0 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B4115 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB2C2 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C13A5 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004DE3A7 |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A067F |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004DD9E8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D99213A |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D9A822C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 1_2_6D96CA64 |
Source: unknown | Process created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F7054 push 004E123Eh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F0321 push 004ED2FBh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D6483 push 0046B803h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D85D5 push 004C899Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004EB75E push 004D3CB3h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A7759 push dword ptr [004FCE43h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004EA92F push 004DAC2Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F59CA push 004B1D5Fh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AB9D1 push 0046C15Ah; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046FE63 push 00469E02h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C8FA2 push 004ADFCDh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C8FA2 push 004B29F4h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00491044 push 0046B803h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004F3042 push 004BACA2h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0047E048 push 004F3C92h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004A5057 push 004A4A45h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004AC057 push 004A024Ch; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00494069 push 0046CDFCh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0049B068 push 0046CDFCh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046D063 push 0046AD57h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0049806C push dword ptr [004FC7DBh]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004C5069 push 004ADFCDh; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0046F07F push dword ptr [004FD207h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_0047B07B push 00469E02h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D300B push dword ptr [004FD567h]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00480001 push dword ptr [004FC7DBh]; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004CD000 push 004A0557h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B8005 push 004AC2A1h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_00474016 push 0046C15Ah; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004B701A push 004F3C92h; ret |
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe | Code function: 0_2_004D1013 push 004B06B3h; ret |
Source: rundll32.exe, 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmp | Binary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.309915707.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr | Binary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef |
Source: rundll32.exe, 00000001.00000002.689792009.000000006DA0B000.00000004.00000001.01000000.00000004.sdmp | Binary or memory string: SetProgmanW |
Source: LwNdQo4zIk.exe, 00000000.00000002.309915707.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr | Binary or memory string: SetProgmanWindow |