Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe | ReversingLabs: Detection: 87% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | ReversingLabs: Detection: 61% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe | ReversingLabs: Detection: 48% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | ReversingLabs: Detection: 58% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | ReversingLabs: Detection: 88% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | ReversingLabs: Detection: 48% |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: | Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr |
Source: | Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr |
Source: | Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr |
Source: | Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr |
Source: | Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr |
Source: | Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr |
Source: | Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\ |
Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000005.00000002.304521804.0000000002B66000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE3BA2 |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC3BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00408C60 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0040DC11 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00407C3F |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00418CCC |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00406CA0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004028B0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0041A4BE |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00418244 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00401650 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00402F20 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004193C4 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00418788 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00402F89 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00402B90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004073A0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044F84AB |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E2DF7 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044EDE78 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E8EC7 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E7EA6 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E6F07 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044FA725 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044F8F33 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E77D9 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E786D |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E18B7 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044F89EF |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E31F0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E3187 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044E2B17 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_04A20DB0 |
Source: dh58NtARpk.exe | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 711755 bytes, 2 files, at 0x2c +A "niba6381.exe" +A "l91ip55.exe", ID 1893, number 1, 28 datablocks, 0x1503 compression |
Source: niba6381.exe.0.dr | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 566313 bytes, 2 files, at 0x2c +A "niba7464.exe" +A "iycPo61.exe", ID 1978, number 1, 24 datablocks, 0x1503 compression |
Source: niba7464.exe.1.dr | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 206918 bytes, 2 files, at 0x2c +A "f6228Ih.exe" +A "h27pP32.exe", ID 1727, number 1, 11 datablocks, 0x1503 compression |
Source: unknown | Process created: C:\Users\user\Desktop\dh58NtARpk.exe C:\Users\user\Desktop\dh58NtARpk.exe |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\ |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\niba6381.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe C:\Users\user~1\AppData\Local\Temp\IXP001.TMP\niba7464.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Command line argument: 08A |
Source: | Binary string: wextract.pdb source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr |
Source: | Binary string: Healer.pdb source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: wextract.pdbGCTL source: dh58NtARpk.exe, niba7464.exe.1.dr, niba6381.exe.0.dr |
Source: | Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr |
Source: | Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, f6228Ih.exe, 00000003.00000000.239784677.0000000000162000.00000002.00000001.01000000.00000006.sdmp, f6228Ih.exe.2.dr |
Source: | Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba7464.exe, 00000002.00000003.239342655.0000000004374000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000000.266171659.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h27pP32.exe.2.dr |
Source: | Binary string: _.pdb source: h27pP32.exe, 00000005.00000002.304543261.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.281688316.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6381.exe, 00000001.00000003.238348092.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, iycPo61.exe.1.dr |
Source: | Binary string: Healer.pdbH5 source: h27pP32.exe, 00000005.00000002.305948165.0000000007090000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304830250.0000000004640000.00000004.00000020.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000002.304929325.0000000004840000.00000004.08000000.00040000.00000000.sdmp, h27pP32.exe, 00000005.00000002.305167089.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, h27pP32.exe, 00000005.00000003.279403507.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0041C40C push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00423149 push eax; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0041C50E push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004231C8 push eax; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0040E21D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0041C6BE push ebx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044EE484 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044FBE73 push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044FBF75 push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044FC125 push ebx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_04A24139 push edi; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_04A2454E push ecx; retf |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\iycPo61.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f6228Ih.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP002.TMP\h27pP32.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\Local\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | File opened: C:\Users\user~1\AppData\ |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE6F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\dh58NtARpk.exe | Code function: 0_2_00BE6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC6F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6381.exe | Code function: 1_2_00CC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC6F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba7464.exe | Code function: 2_2_00BC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_004123F1 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044F2658 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044ED070 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044EE883 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h27pP32.exe | Code function: 5_2_044F71D1 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: Yara match | File source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED |
Source: Yara match | File source: 5.3.h27pP32.exe.4530000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.dh58NtARpk.exe.524f020.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.dh58NtARpk.exe.524f020.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.44e0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h27pP32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.304653945.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.304145218.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235426938.00000000051A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000003.279003649.0000000004530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l91ip55.exe, type: DROPPED |