Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry= |
Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
0_2_00409A6B |
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe |
Code function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
17_2_00409A6B |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
23_2_00129A6B |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support |
|
Source: C:\Windows\SysWOW64\sc.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection |
|
Source: C:\Windows\SysWOW64\sc.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug |
|
Source: C:\Windows\SysWOW64\sc.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
|
Source: C:\Windows\SysWOW64\netsh.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc |
|
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe |
Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe |
|
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
Jump to behavior |
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe |
Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
0_2_00409A6B |
Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe |
Code function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
17_2_00409A6B |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, |
23_2_00129A6B |