Click to jump to signature section
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe | Avira: detection malicious, Label: HEUR/AGEN.1252166 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe | ReversingLabs: Detection: 87% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe | Virustotal: Detection: 81% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | ReversingLabs: Detection: 58% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Virustotal: Detection: 56% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe | ReversingLabs: Detection: 48% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe | Virustotal: Detection: 51% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | ReversingLabs: Detection: 58% |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Virustotal: Detection: 53% | Perma Link |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | ReversingLabs: Detection: 88% |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | ReversingLabs: Detection: 46% |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe | Joe Sandbox ML: detected |
Source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp | Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.28:4125", "Bot Id": "ruka", "Message": "", "Authorization Header": "5d1d0e51ebe1e3f16cca573ff651c43c"} |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00072F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01252F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll |
Source: pYHrqNhFKr.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: | Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr |
Source: | Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr |
Source: | Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr |
Source: | Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr |
Source: | Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr |
Source: | Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr |
Source: | Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, l64fQ59.exe.0.dr | String found in binary or memory: https://api.ip.sb/ip |
Source: h99af07.exe, 00000005.00000002.307016604.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000005.00000002.307087402.0000000002E97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A3BA2 |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A5C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00073BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00075C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01253BA2 |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01255C9E |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00408C60 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040DC11 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00407C3F |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00418CCC |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00406CA0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004028B0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0041A4BE |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00418244 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00401650 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00402F20 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004193C4 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00418788 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00402F89 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00402B90 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004073A0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_045E0DB0 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: String function: 0040E1D8 appears 44 times |
Source: pYHrqNhFKr.exe | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 710141 bytes, 2 files, at 0x2c +A "niba6073.exe" +A "l64fQ59.exe", ID 1861, number 1, 28 datablocks, 0x1503 compression |
Source: niba6073.exe.0.dr | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 564865 bytes, 2 files, at 0x2c +A "niba2214.exe" +A "imYkV36.exe", ID 1948, number 1, 23 datablocks, 0x1503 compression |
Source: niba2214.exe.1.dr | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205776 bytes, 2 files, at 0x2c +A "f7051zI.exe" +A "h99af07.exe", ID 1758, number 1, 11 datablocks, 0x1503 compression |
Source: pYHrqNhFKr.exe, 00000000.00000003.241408245.000000000300D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe |
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe |
Source: pYHrqNhFKr.exe, 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameWearing.exe< vs pYHrqNhFKr.exe |
Source: pYHrqNhFKr.exe | Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs pYHrqNhFKr.exe |
Source: imYkV36.exe.1.dr | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: h99af07.exe.2.dr | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: pYHrqNhFKr.exe | ReversingLabs: Detection: 69% |
Source: pYHrqNhFKr.exe | Virustotal: Detection: 50% |
Source: pYHrqNhFKr.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\pYHrqNhFKr.exe C:\Users\user\Desktop\pYHrqNhFKr.exe |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\ |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\ |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00071F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01251F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@12/8@0/0 |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A3FEF CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Code function: 3_2_00007FFC9DD11B10 ChangeServiceConfigA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A4FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Command line argument: 08A |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Automated click: OK |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: pYHrqNhFKr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: pYHrqNhFKr.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: | Binary string: wextract.pdb source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr |
Source: | Binary string: Healer.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: wextract.pdbGCTL source: pYHrqNhFKr.exe, niba6073.exe.0.dr, niba2214.exe.1.dr |
Source: | Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr |
Source: | Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, f7051zI.exe, 00000003.00000000.244138101.0000000000CA2000.00000002.00000001.01000000.00000006.sdmp, f7051zI.exe.2.dr |
Source: | Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: niba2214.exe, 00000002.00000003.243954252.0000000004A0C000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000000.269895289.0000000000401000.00000020.00000001.01000000.00000009.sdmp, h99af07.exe.2.dr |
Source: | Binary string: _.pdb source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000003.283921128.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: C:\zarepot\talotoyuy1\guf.pdb source: niba6073.exe, 00000001.00000003.242966738.0000000004521000.00000004.00000020.00020000.00000000.sdmp, imYkV36.exe.1.dr |
Source: | Binary string: Healer.pdbH5 source: h99af07.exe, 00000005.00000003.281384842.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307743738.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.308257566.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, h99af07.exe, 00000005.00000002.307495557.0000000004750000.00000004.00000020.00020000.00000000.sdmp, h99af07.exe, 00000005.00000002.307402577.0000000004640000.00000004.08000000.00040000.00000000.sdmp |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Unpacked PE file: 5.2.h99af07.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R; |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_0007724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_0125724D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0041C40C push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00423149 push eax; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0041C50E push cs; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00422D28 push ss; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004231C8 push eax; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040E21D push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0041C6BE push ebx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_02E9C693 push edi; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_02E99748 push FFFFFFE1h; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_045E454E push ecx; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_045E4139 push edi; iretd |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: initial sample | Static PE information: section name: .text entropy: 7.842085736950787 |
Source: initial sample | Static PE information: section name: .text entropy: 7.7554731967823 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\imYkV36.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00071AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01251AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe TID: 5184 | Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe TID: 2512 | Thread sleep time: -922337203685477s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A5467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00072390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01252390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040ADB0 GetProcessHeap,HeapFree, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Process token adjusted: Debug |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Process token adjusted: Debug |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_02E97C33 push dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Memory allocated: page read and write | page guard |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A6F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00076F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\niba6073.exe | Code function: 1_2_00076CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01256F40 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\niba2214.exe | Code function: 2_2_01256CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: 5_2_004123F1 SetUnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A18A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\h99af07.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A7155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
Source: C:\Users\user\Desktop\pYHrqNhFKr.exe | Code function: 0_2_008A2BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, |
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\f7051zI.exe | Code function: 3_2_00007FFC9DD1077D GetUserNameA, |
Source: Yara match | File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED |
Source: Yara match | File source: 5.2.h99af07.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h99af07.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.h99af07.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.pYHrqNhFKr.exe.4c79c20.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000005.00000002.306344937.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.306851644.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.241248149.0000000004BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\l64fQ59.exe, type: DROPPED |