Click to jump to signature section
Source: 09212399.exe | Virustotal: Detection: 40% | Perma Link |
Source: C:\Users\user\Desktop\09212399.exe | Unpacked PE file: 0.2.09212399.exe.400000.0.unpack |
Source: 09212399.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\09212399.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll | Jump to behavior |
Source: | Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe |
Source: | Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 | Jump to behavior |
Source: global traffic | TCP traffic: 192.168.2.3:49699 -> 179.43.162.23:8509 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: unknown | TCP traffic detected without corresponding DNS query: 179.43.162.23 |
Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png |
Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH |
Source: 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio |
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://discord.com |
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://discordapp.com |
Source: certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip |
Source: certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://http:///etc/puk.keyMachineGuid |
Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 09212399.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\09212399.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_02716E4B | 0_3_02716E4B |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_00416214 | 0_2_00416214 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_004182F4 | 0_2_004182F4 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023E707B | 0_2_023E707B |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023E915B | 0_2_023E915B |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D4A10 | 1_3_00000188240D4A10 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D2792 | 1_3_00000188240D2792 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D1B9C | 1_3_00000188240D1B9C |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D2C32 | 1_3_00000188240D2C32 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D5E54 | 1_3_00000188240D5E54 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D5554 | 1_3_00000188240D5554 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D58D4 | 1_3_00000188240D58D4 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D24ED | 1_3_00000188240D24ED |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_0040203B NtProtectVirtualMemory, | 0_2_0040203B |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_004018FB GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,NtQuerySystemInformation,HeapAlloc,RtlAllocateHeap,NtQuerySystemInformation,HeapAlloc,WideCharToMultiByte,_strlen,OutputDebugStringW,HeapFree,_rand,_rand,HeapAlloc,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CreateFileW,ReadFile,CloseHandle,HeapFree, | 0_2_004018FB |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree, | 0_2_0040250D |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_0040159B GetCurrentProcess,VirtualAllocExNuma,NtAllocateVirtualMemory,HeapAlloc,InterlockedIncrement,InterlockedIncrement,HeapAlloc,InterlockedIncrement,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapAlloc, | 0_2_0040159B |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023D3374 HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,WaitForSingleObject,HeapFree,HeapFree,HeapDestroy,NtContinue,NtContinue,NtContinue,GetProcessHeap,HeapFree, | 0_2_023D3374 |
Source: C:\Windows\System32\certreq.exe | Code function: 1_3_00000188240D30A7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, | 1_3_00000188240D30A7 |
Source: 09212399.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 09212399.exe | Virustotal: Detection: 40% |
Source: 09212399.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\09212399.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\09212399.exe C:\Users\user\Desktop\09212399.exe | |
Source: C:\Users\user\Desktop\09212399.exe | Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe | |
Source: C:\Windows\System32\certreq.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\09212399.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880 | |
Source: C:\Users\user\Desktop\09212399.exe | Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe | Jump to behavior |
Source: C:\Users\user\Desktop\09212399.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\09212399.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\09212399.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
Source: classification engine | Classification label: mal100.spyw.evad.winEXE@5/0@0/1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01 |
Source: C:\Users\user\Desktop\09212399.exe | Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6} |
Source: 09212399.exe | String found in binary or memory: {d764e42e-add5-9d16-74e7-6164935016d1} |
Source: 09212399.exe | String found in binary or memory: {a722ed69-f75e-adda-c282-357b7a5881c0} |
Source: 09212399.exe | String found in binary or memory: {2a53b0ee-add5-8019-6f4d-b504148f277d} |
Source: 09212399.exe | String found in binary or memory: {fd1f761c-addd-f638-ccfc-dc2ddad2eb2e} |
Source: 09212399.exe | String found in binary or memory: {93c09873-6c92-83d1-add1-d1cf6ce0db24} |
Source: 09212399.exe | String found in binary or memory: {67db7274-addc-33aa-369d-f51ff4fbdf01} |
Source: 09212399.exe | String found in binary or memory: {652d3a0a-0179-af7e-c9e4-add04bde0b9b} |
Source: 09212399.exe | String found in binary or memory: {04e8de6c-add6-baab-c21e-7d664f7ae35c} |
Source: 09212399.exe | String found in binary or memory: {e530ebc8-addd-aec2-555f-9c575215134d} |
Source: 09212399.exe | String found in binary or memory: {64f34c59-9151-4877-321d-add8d2d439f6} |
Source: C:\Windows\System32\certreq.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook | Jump to behavior |
Source: C:\Users\user\Desktop\09212399.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll | Jump to behavior |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 09212399.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe |
Source: | Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe |
Source: C:\Users\user\Desktop\09212399.exe | Unpacked PE file: 0.2.09212399.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\09212399.exe | Unpacked PE file: 0.2.09212399.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R; |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_0271434F push esp; retf | 0_3_0271459C |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_02717F4F push ecx; retf | 0_3_02717FB0 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_02710FF2 push edx; iretd | 0_3_0271109E |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_02714DED pushad ; retf | 0_3_02714DF7 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_027106EC push edi; retf | 0_3_027106ED |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_027149B2 push es; iretd | 0_3_027149B3 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_3_02714D8D push es; retf | 0_3_02714D8E |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_00416203 push ecx; ret | 0_2_00416213 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_00416320 push eax; ret | 0_2_00416334 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_00416320 push eax; ret | 0_2_0041635C |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023E706A push ecx; ret | 0_2_023E707A |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023E7187 push eax; ret | 0_2_023E719B |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_023E7187 push eax; ret | 0_2_023E71C3 |
Source: C:\Users\user\Desktop\09212399.exe | Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 0_2_004179F7 |
Source: initial sample | Static PE information: section name: .text entropy: 7.890261806957562 |
Source: C:\Windows\System32\certreq.exe | File deleted: c:\users\user\desktop\09212399.exe | Jump to behavior |
Source: C:\Users\user\Desktop\09212399.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\09212399.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\certreq.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: Yara match | File source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 09212399.exe PID: 4968, type: MEMORYSTR |
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: PROCMON.EXE |
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: HOOKEXPLORER.EXE |
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: AUTORUNSC.EXE |
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OLLYDBG.EXE |
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;*!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;*!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT |