| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
| Source: WerFault.exe, 0000000A.00000002.367143979.00000000003CF000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.00000000003C2000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
| Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0; |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W |
| Source: WerFault.exe, 0000000A.00000002.375602362.00000000039FE000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0 |
| Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://java.sun.com |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
| Source: WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0% |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0- |
| Source: WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0/ |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com05 |
| Source: WerFault.exe, 0000000A.00000002.367143979.00000000003CF000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.00000000003C2000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net03 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net0D |
| Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.pki.goog/gsr10) |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.342781591.000000000022B000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.603202980.000000000022B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.pki.goog/gts1c301 |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.pki.goog/gtsr100 |
| Source: lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02 |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.342781591.000000000022B000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000011.00000002.603202980.000000000022B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0 |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04 |
| Source: svchost.exe, 00000016.00000000.345782413.0000000001FFC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.605131595.0000000001FFC000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.com/win/2004/08/events |
| Source: svchost.exe, 00000019.00000000.346998279.0000000001FD6000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.608643399.0000000001FD6000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.micro |
| Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
| Source: WerFault.exe, 0000000A.00000002.375602362.00000000039FE000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
| Source: explorer.exe, 0000001F.00000002.606706574.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.608288265.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350702735.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.606706574.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.piriform.com/ccleaner |
| Source: explorer.exe, 0000001F.00000002.606706574.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.608288265.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350702735.0000000007AE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.606706574.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.350381000.0000000003E98000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv |
| Source: explorer.exe, 0000001F.00000000.350097876.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.604991513.000000000260E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.piriform.com/ccleanerxe |
| Source: lsass.exe, 00000011.00000002.606687725.0000000001220000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.000000000122E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000011.00000000.343011330.0000000001220000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://pki.goog/repository/0 |
| Source: WerFault.exe, 0000000A.00000002.376314972.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A41000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363658371.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.367143979.000000000044C000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000002.376314972.0000000003A63000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000A.00000003.363740029.0000000003A63000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://secure.comodo.com/CPS0 |
| Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://support.mozilla.org |
| Source: svchost.exe, 00000018.00000002.603627532.0000000002668000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.346476637.0000000002668000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://update.googleapis.com/service/update2?cup2key=13:9PlIcYzJ7FuPKbYwS8xEdZ3KAlYn7hgULJcTQTtHhro |
| Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org |
| Source: explorer.exe, 0000001F.00000002.602714101.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_005728C8 NtEnumerateValueKey,NtEnumerateValueKey, | 0_2_005728C8 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6E460 NtUnmapViewOfSection, | 0_2_000007FE93D6E460 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6FEF4 NtUnmapViewOfSection, | 0_2_000007FE93D6FEF4 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6FE1A NtUnmapViewOfSection, | 0_2_000007FE93D6FE1A |
| Source: C:\Windows\explorer.exe | Code function: 2_2_0000000140001394 NtAlpcConnectPort, | 2_2_0000000140001394 |
| Source: C:\Windows\System32\dialer.exe | Code function: 3_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, | 3_2_00000001400010C0 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001F2244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, | 6_2_001F2244 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001F2330 NtQueryDirectoryFile,GetFileType,StrCpyW, | 6_2_001F2330 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_02482244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, | 10_2_02482244 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_02482330 NtQueryDirectoryFile,GetFileType,StrCpyW, | 10_2_02482330 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_0248202C NtQuerySystemInformation,StrCmpNIW, | 10_2_0248202C |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_009828C8 NtEnumerateValueKey,NtEnumerateValueKey, | 12_2_009828C8 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_001628C8 NtEnumerateValueKey,NtEnumerateValueKey, | 13_2_001628C8 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00162244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, | 13_2_00162244 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00162B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW, | 13_2_00162B2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_0028202C NtQuerySystemInformation,StrCmpNIW, | 16_2_0028202C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002828C8 NtEnumerateValueKey,NtEnumerateValueKey, | 16_2_002828C8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00282244 GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread, | 16_2_00282244 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00282B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW, | 16_2_00282B2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64BC40 GetCommandLineW,PathGetArgsW,GetCurrentProcess,NtQueryInformationProcess,memset,#155, | 16_2_FF64BC40 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63FD40 ResumeThread,GetPriorityClass,GetLastError,NtQueryInformationProcess,NtQueryInformationProcess,AssignProcessToJobObject,GetLastError, | 16_2_FF63FD40 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63ED28 GetShellWindow,CoCreateInstance,CreateEventW,SetEvent,memset,NtSetSystemInformation,GetCurrentThreadId,SetTimer, | 16_2_FF63ED28 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF696DE0 SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationProcess, | 16_2_FF696DE0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64A550 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtQueryInformationToken, | 16_2_FF64A550 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009C202C NtQuerySystemInformation,StrCmpNIW, | 17_2_009C202C |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_002628C8 NtEnumerateValueKey,NtEnumerateValueKey, | 19_2_002628C8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014A202C NtQuerySystemInformation,StrCmpNIW, | 22_2_014A202C |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C62330 NtQueryDirectoryFile,GetFileType,StrCpyW, | 25_2_00C62330 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown | 16_2_FF64020C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown | 16_2_FF64020C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: RegisterTraceGuidsW,RegDeleteKeyExW,GetCurrentProcess,SetPriorityClass,SystemParametersInfoW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegCreateKeyW,CreateMutexW,WaitForSingleObject,#899,#188,SetProcessShutdownParameters,PeekMessageW,WaitForSingleObject,CloseHandle,OleInitialize,CoCreateInstance,#660,SHGetValueW,GetUserDefaultUILanguage,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,SHGetSpecialFolderPathW,GetSystemMetrics,CreateEventW,GetSystemMetrics,#885,CloseHandle,RegQueryValueExW,RegSetValueExW,#110,SHCreateThreadRef,SHSetThreadRef,#176,ReleaseMutex,CloseHandle,PostMessageW,#16,GetCurrentProcess,SetPriorityClass,RegisterApplicationRestart,CoCreateInstance,#201,ReleaseMutex,CloseHandle,GetCurrentProcess,SetPriorityClass,memset,SHGetKnownFolderIDList,ShellExecuteExW,#155,memset,GetCommandLineW,PathGetArgsW,CoCreateInstance,CoCreateInstance,CoCreateInstance,memset,GetStartupInfoW,#155,LoadLibraryW,GetProcAddress,FreeLibrary,SHSetThreadRef,GetMessageW,TranslateMessage,DispatchMessageW,RegSetValueExW,#111,OleUninitialize,#188,GetCommandLineW,PathGetArgsW,#158,#10,UnregisterTraceGuids,ExitProcess, CleanShutdown | 16_2_FF64020C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: GetWindowsDirectoryW,PathCombineW,memset,ShellExecuteExW, /Reboot Shutdown | 16_2_FF698DE8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF621364 DefWindowProcW,#479,SetLastError,EnumChildWindows,#158,#158,BeginPaint,PostMessageW,GetClientRect,IsCompositionActive,#197,DrawThemeBackground,#8,#9,#10,PostMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,#479,LoadCursorW,SetCursor,UpdateWindow,GetClientRect,GetClipBox,IsCompositionActive,#197,DrawThemeBackground,EndPaint,#4,EnumDisplayMonitors,EnumChildWindows,EnumChildWindows,SendMessageW,#100,SendMessageW,SendMessageW,GetDoubleClickTime,TrackMouseEvent,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetTimer,LoadCursorW,SetCursor,#127,EnumDisplayMonitors,ShowWindow,ShowWindow,DestroyWindow,GetClientRect,MapWindowPoints,PtInRect,PtInRect,PtInRect,PtInRect,GetWindowRect,GetMessagePos,PtInRect,DefWindowProcW,InflateRect,SendMessageW,SendMessageW,SendMessageW,GetFocus,#204,#165,GetSystemMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,SendMessageW,#165,KillTimer,SendMessageW,PostMessageW,SendMessageW,GetCursorPos,GetSystemMetrics,GetSystemMetrics,InflateRect,SendMessageW,SendMessageW,FillRect,MapWindowPoints,InflateRect,DrawEdge,GlobalGetAtomNameW,#190,UnregisterHotKey,#388,SetWindowPos,CoMarshalInterThreadInterfaceInStream,ExitWindowsEx,PostMessageW,PostMessageW, | 16_2_FF621364 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_0054D0E0 | 0_2_0054D0E0 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_005538A8 | 0_2_005538A8 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_00541F2C | 0_2_00541F2C |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_0057DCE0 | 0_2_0057DCE0 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_005844A8 | 0_2_005844A8 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_00572B2C | 0_2_00572B2C |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5FC20 | 0_2_000007FE93D5FC20 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6A3C5 | 0_2_000007FE93D6A3C5 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5A9B0 | 0_2_000007FE93D5A9B0 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5A9B8 | 0_2_000007FE93D5A9B8 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5D8C9 | 0_2_000007FE93D5D8C9 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D667DA | 0_2_000007FE93D667DA |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D55EDC | 0_2_000007FE93D55EDC |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D606E0 | 0_2_000007FE93D606E0 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D54670 | 0_2_000007FE93D54670 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5DD58 | 0_2_000007FE93D5DD58 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6BD38 | 0_2_000007FE93D6BD38 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6CCEE | 0_2_000007FE93D6CCEE |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D6220A | 0_2_000007FE93D6220A |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D510D0 | 0_2_000007FE93D510D0 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D51098 | 0_2_000007FE93D51098 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D69E84 | 0_2_000007FE93D69E84 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93E50E25 | 0_2_000007FE93E50E25 |
| Source: C:\Windows\explorer.exe | Code function: 2_2_0000000140003B30 | 2_2_0000000140003B30 |
| Source: C:\Windows\System32\dialer.exe | Code function: 3_2_000000014000226C | 3_2_000000014000226C |
| Source: C:\Windows\System32\dialer.exe | Code function: 3_2_00000001400014D8 | 3_2_00000001400014D8 |
| Source: C:\Windows\System32\dialer.exe | Code function: 3_2_0000000140002560 | 3_2_0000000140002560 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001D38A8 | 6_2_001D38A8 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001CD0E0 | 6_2_001CD0E0 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001C1F2C | 6_2_001C1F2C |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_002044A8 | 6_2_002044A8 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001FDCE0 | 6_2_001FDCE0 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001F2B2C | 6_2_001F2B2C |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_02482B2C | 10_2_02482B2C |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_0248DCE0 | 10_2_0248DCE0 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_024944A8 | 10_2_024944A8 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_009638A8 | 12_2_009638A8 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_0095D0E0 | 12_2_0095D0E0 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_00951F2C | 12_2_00951F2C |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_009944A8 | 12_2_009944A8 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_0098DCE0 | 12_2_0098DCE0 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_00982B2C | 12_2_00982B2C |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_001438A8 | 13_2_001438A8 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_0013D0E0 | 13_2_0013D0E0 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00131F2C | 13_2_00131F2C |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00162B2C | 13_2_00162B2C |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_001744A8 | 13_2_001744A8 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_0016DCE0 | 13_2_0016DCE0 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_001E38A8 | 15_2_001E38A8 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_001DD0E0 | 15_2_001DD0E0 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_001D1F2C | 15_2_001D1F2C |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_002144A8 | 15_2_002144A8 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_0020DCE0 | 15_2_0020DCE0 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_00202B2C | 15_2_00202B2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_000F38A8 | 16_2_000F38A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_000ED0E0 | 16_2_000ED0E0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_000E1F2C | 16_2_000E1F2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00282B2C | 16_2_00282B2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002944A8 | 16_2_002944A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_0028DCE0 | 16_2_0028DCE0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002D38A8 | 16_2_002D38A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002CD0E0 | 16_2_002CD0E0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002C1F2C | 16_2_002C1F2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_003044A8 | 16_2_003044A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002FDCE0 | 16_2_002FDCE0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002F2B2C | 16_2_002F2B2C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF696FCC | 16_2_FF696FCC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64020C | 16_2_FF64020C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65CF70 | 16_2_FF65CF70 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF631F58 | 16_2_FF631F58 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF662F20 | 16_2_FF662F20 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF646FC0 | 16_2_FF646FC0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6C6FB8 | 16_2_FF6C6FB8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF644FBC | 16_2_FF644FBC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF69EF9C | 16_2_FF69EF9C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF655E78 | 16_2_FF655E78 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF640E24 | 16_2_FF640E24 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A9E9C | 16_2_FF6A9E9C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF652D48 | 16_2_FF652D48 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF643D54 | 16_2_FF643D54 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6C0D30 | 16_2_FF6C0D30 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF630D00 | 16_2_FF630D00 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF647DA0 | 16_2_FF647DA0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF678D90 | 16_2_FF678D90 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF631C1C | 16_2_FF631C1C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62BCCC | 16_2_FF62BCCC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF635CD0 | 16_2_FF635CD0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65DCA8 | 16_2_FF65DCA8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF641B7C | 16_2_FF641B7C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A5BE8 | 16_2_FF6A5BE8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A0BF0 | 16_2_FF6A0BF0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF636BD4 | 16_2_FF636BD4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65FBA0 | 16_2_FF65FBA0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64FBB0 | 16_2_FF64FBB0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62AB88 | 16_2_FF62AB88 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66AB94 | 16_2_FF66AB94 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62AA70 | 16_2_FF62AA70 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF626A40 | 16_2_FF626A40 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF676A54 | 16_2_FF676A54 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF638AF0 | 16_2_FF638AF0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF652AC0 | 16_2_FF652AC0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A3ADC | 16_2_FF6A3ADC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64BAA0 | 16_2_FF64BAA0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65CAA0 | 16_2_FF65CAA0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66EAB0 | 16_2_FF66EAB0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6C893C | 16_2_FF6C893C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF622904 | 16_2_FF622904 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6AA910 | 16_2_FF6AA910 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6439D8 | 16_2_FF6439D8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF69A81C | 16_2_FF69A81C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62A8E8 | 16_2_FF62A8E8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A88D0 | 16_2_FF6A88D0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A98A8 | 16_2_FF6A98A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65D8B0 | 16_2_FF65D8B0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63F8B4 | 16_2_FF63F8B4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF697888 | 16_2_FF697888 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65F750 | 16_2_FF65F750 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63B75C | 16_2_FF63B75C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65E720 | 16_2_FF65E720 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66A720 | 16_2_FF66A720 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF624708 | 16_2_FF624708 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF657708 | 16_2_FF657708 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6377D6 | 16_2_FF6377D6 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A47A8 | 16_2_FF6A47A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63A7BC | 16_2_FF63A7BC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65A664 | 16_2_FF65A664 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62E670 | 16_2_FF62E670 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A1654 | 16_2_FF6A1654 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF623604 | 16_2_FF623604 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF646618 | 16_2_FF646618 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66B6F0 | 16_2_FF66B6F0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64D6A0 | 16_2_FF64D6A0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65169C | 16_2_FF65169C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62F56C | 16_2_FF62F56C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6B157C | 16_2_FF6B157C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6585A0 | 16_2_FF6585A0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6215B4 | 16_2_FF6215B4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF655468 | 16_2_FF655468 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62E478 | 16_2_FF62E478 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66C450 | 16_2_FF66C450 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63E45C | 16_2_FF63E45C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6AA434 | 16_2_FF6AA434 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62241C | 16_2_FF62241C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A24D8 | 16_2_FF6A24D8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66B488 | 16_2_FF66B488 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63F48C | 16_2_FF63F48C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF652360 | 16_2_FF652360 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF621364 | 16_2_FF621364 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65B328 | 16_2_FF65B328 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A6334 | 16_2_FF6A6334 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF646308 | 16_2_FF646308 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF629310 | 16_2_FF629310 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6BC3E0 | 16_2_FF6BC3E0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6483A8 | 16_2_FF6483A8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64939C | 16_2_FF64939C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62C2AC | 16_2_FF62C2AC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF69B110 | 16_2_FF69B110 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63A1E8 | 16_2_FF63A1E8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62C1D0 | 16_2_FF62C1D0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62D0C8 | 16_2_FF62D0C8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65E0B0 | 16_2_FF65E0B0 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_001038A8 | 17_2_001038A8 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_000FD0E0 | 17_2_000FD0E0 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_000F1F2C | 17_2_000F1F2C |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009D44A8 | 17_2_009D44A8 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009CDCE0 | 17_2_009CDCE0 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009C2B2C | 17_2_009C2B2C |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_001C38A8 | 19_2_001C38A8 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_001BD0E0 | 19_2_001BD0E0 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_001B1F2C | 19_2_001B1F2C |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_002744A8 | 19_2_002744A8 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_0026DCE0 | 19_2_0026DCE0 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_00262B2C | 19_2_00262B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_0068D0E0 | 20_2_0068D0E0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006938A8 | 20_2_006938A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_00681F2C | 20_2_00681F2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006BDCE0 | 20_2_006BDCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006C44A8 | 20_2_006C44A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006B2B2C | 20_2_006B2B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014ADCE0 | 22_2_014ADCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014B44A8 | 22_2_014B44A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014A2B2C | 22_2_014A2B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BD44A8 | 23_2_00BD44A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BCDCE0 | 23_2_00BCDCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BC2B2C | 23_2_00BC2B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A844A8 | 24_2_00A844A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A7DCE0 | 24_2_00A7DCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A72B2C | 24_2_00A72B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C6DCE0 | 25_2_00C6DCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C744A8 | 25_2_00C744A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C62B2C | 25_2_00C62B2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_001238A8 | 26_2_001238A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_0011D0E0 | 26_2_0011D0E0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_00111F2C | 26_2_00111F2C |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_002D44A8 | 26_2_002D44A8 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_002CDCE0 | 26_2_002CDCE0 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_002C2B2C | 26_2_002C2B2C |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: bcrypt.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: shfolder.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: faultrep.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: wer.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: explorerframe.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: duser.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: dui70.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: powrprof.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: dwmapi.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: secur32.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: winsta.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Section loaded: rpcrtremote.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: explorerframe.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: duser.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: dui70.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: powrprof.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: dwmapi.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: secur32.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\explorer.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: rasapi32.dll | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Section loaded: rasman.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_0055ACDD push rcx; retf 003Fh | 0_2_0055ACDE |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_0058C6DD push rcx; retf 003Fh | 0_2_0058C6DE |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D5DD58 push eax; retf | 0_2_000007FE93D5E039 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D500BD pushad ; iretd | 0_2_000007FE93D500C1 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D51E6D pushad ; retf | 0_2_000007FE93D51E81 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93D505F5 pushad ; retf | 0_2_000007FE93D505F9 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_000007FE93E5026B push esp; retf 4810h | 0_2_000007FE93E50312 |
| Source: C:\Windows\explorer.exe | Code function: 2_2_0000000140001394 push qword ptr [000000014000A004h]; ret | 2_2_0000000140001403 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001DACDD push rcx; retf 003Fh | 6_2_001DACDE |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_0020C6DD push rcx; retf 003Fh | 6_2_0020C6DE |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_0249C6DD push rcx; retf 003Fh | 10_2_0249C6DE |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_0096ACDD push rcx; retf 003Fh | 12_2_0096ACDE |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_0099C6DD push rcx; retf 003Fh | 12_2_0099C6DE |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_0014ACDD push rcx; retf 003Fh | 13_2_0014ACDE |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_0017C6DD push rcx; retf 003Fh | 13_2_0017C6DE |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_001EACDD push rcx; retf 003Fh | 15_2_001EACDE |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_0021C6DD push rcx; retf 003Fh | 15_2_0021C6DE |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_000FACDD push rcx; retf 003Fh | 16_2_000FACDE |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_0029C6DD push rcx; retf 003Fh | 16_2_0029C6DE |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002DACDD push rcx; retf 003Fh | 16_2_002DACDE |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_0030C6DD push rcx; retf 003Fh | 16_2_0030C6DE |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_0010ACDD push rcx; retf 003Fh | 17_2_0010ACDE |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009DC6DD push rcx; retf 003Fh | 17_2_009DC6DE |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_001CACDD push rcx; retf 003Fh | 19_2_001CACDE |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_0027C6DD push rcx; retf 003Fh | 19_2_0027C6DE |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_0069ACDD push rcx; retf 003Fh | 20_2_0069ACDE |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006CC6DD push rcx; retf 003Fh | 20_2_006CC6DE |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014BC6DD push rcx; retf 003Fh | 22_2_014BC6DE |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BDC6DD push rcx; retf 003Fh | 23_2_00BDC6DE |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A8C6DD push rcx; retf 003Fh | 24_2_00A8C6DE |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C7C6DD push rcx; retf 003Fh | 25_2_00C7C6DE |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF675F80 IsWindowVisible,IsIconic,IsWindowEnabled,GetWindowLongW,GetSystemMenu,GetMenuState, | 16_2_FF675F80 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF664D94 SendMessageW,SendMessageW,GetAncestor,GetLastActivePopup,IsIconic,IsWindowEnabled,SwitchToThisWindow,IsWindowVisible,IsWindowEnabled,GetWindow,IsIconic,ShowWindowAsync, | 16_2_FF664D94 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF664D94 SendMessageW,SendMessageW,GetAncestor,GetLastActivePopup,IsIconic,IsWindowEnabled,SwitchToThisWindow,IsWindowVisible,IsWindowEnabled,GetWindow,IsIconic,ShowWindowAsync, | 16_2_FF664D94 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62ACE8 IsIconic, | 16_2_FF62ACE8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF664CFC IsWindow,IsIconic,GetForegroundWindow,ShowWindowAsync,PostMessageW, | 16_2_FF664CFC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65BB9C ShowWindow,IsIconic,SendMessageW,PostMessageW,PostMessageW,EventEnabled, | 16_2_FF65BB9C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF676530 ShowWindow,IsIconic,SendMessageW,PostMessageW,PostMessageW,IsCompositionActive, | 16_2_FF676530 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65F410 IsIconic,GetWindowLongW,IsWindowVisible, | 16_2_FF65F410 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65B328 GetMonitorInfoW,IntersectRect,SetPropW,GetModuleHandleW,LoadIconW,SendMessageW,#100,SHGetKnownFolderIDList,#155,RemovePropW,DestroyWindow,SystemParametersInfoW,OffsetRect,IsIconic,GetCurrentProcessId,SendMessageTimeoutW,GetCurrentProcessId,#8,#9,GetCurrentProcessId,#10, | 16_2_FF65B328 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65F3D3 IsIconic,GetWindowLongW, | 16_2_FF65F3D3 |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\services.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\services.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\services.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\services.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\services.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\dialer.exe TID: 1036 | Thread sleep count: 917 > 30 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe TID: 1036 | Thread sleep time: -91700s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\services.exe TID: 2912 | Thread sleep count: 7129 > 30 | Jump to behavior |
| Source: C:\Windows\System32\services.exe TID: 2912 | Thread sleep time: -7129000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\services.exe TID: 2912 | Thread sleep count: 1873 > 30 | Jump to behavior |
| Source: C:\Windows\System32\services.exe TID: 2912 | Thread sleep time: -1873000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe TID: 1292 | Thread sleep count: 7690 > 30 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe TID: 1292 | Thread sleep time: -7690000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe TID: 1292 | Thread sleep count: 901 > 30 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe TID: 1292 | Thread sleep time: -901000s >= -30000s | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe TID: 2008 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe TID: 1416 | Thread sleep count: 5563 > 30 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe TID: 1416 | Thread sleep time: -5563000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe TID: 1416 | Thread sleep count: 3625 > 30 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe TID: 1416 | Thread sleep time: -3625000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\lsm.exe TID: 1200 | Thread sleep count: 5071 > 30 | Jump to behavior |
| Source: C:\Windows\System32\lsm.exe TID: 1200 | Thread sleep time: -5071000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2572 | Thread sleep count: 6772 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2572 | Thread sleep time: -6772000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2436 | Thread sleep count: 6568 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2436 | Thread sleep time: -6568000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2228 | Thread sleep count: 3236 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2228 | Thread sleep time: -3236000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 1736 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2924 | Thread sleep count: 2293 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2924 | Thread sleep time: -2293000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2872 | Thread sleep count: 5696 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2872 | Thread sleep time: -5696000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2172 | Thread sleep count: 3706 > 30 | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2172 | Thread sleep time: -3706000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 264 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
| Source: C:\Windows\System32\svchost.exe TID: 2260 | Thread sleep count: 2268 > 30 | |
| Source: C:\Windows\System32\svchost.exe TID: 2260 | Thread sleep time: -2268000s >= -30000s | |
| Source: C:\Windows\System32\svchost.exe TID: 2728 | Thread sleep count: 5480 > 30 | |
| Source: C:\Windows\System32\svchost.exe TID: 2728 | Thread sleep time: -5480000s >= -30000s | |
| Source: C:\Windows\System32\spoolsv.exe TID: 2192 | Thread sleep count: 4975 > 30 | |
| Source: C:\Windows\System32\spoolsv.exe TID: 2192 | Thread sleep time: -4975000s >= -30000s | |
| Source: C:\Windows\System32\svchost.exe TID: 3076 | Thread sleep count: 2279 > 30 | |
| Source: C:\Windows\System32\svchost.exe TID: 3076 | Thread sleep time: -2279000s >= -30000s | |
| Source: C:\Windows\System32\dwm.exe TID: 3084 | Thread sleep count: 5066 > 30 | |
| Source: C:\Windows\System32\dwm.exe TID: 3084 | Thread sleep time: -5066000s >= -30000s | |
| Source: C:\Windows\explorer.exe TID: 3100 | Thread sleep count: 9733 > 30 | |
| Source: C:\Windows\explorer.exe TID: 3100 | Thread sleep time: -9733000s >= -30000s | |
| Source: C:\Windows\explorer.exe TID: 1340 | Thread sleep time: -420000s >= -30000s | |
| Source: C:\Windows\System32\UI0Detect.exe TID: 3116 | Thread sleep count: 2826 > 30 | |
| Source: C:\Windows\System32\UI0Detect.exe TID: 3116 | Thread sleep time: -2826000s >= -30000s | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 1876 | Thread sleep time: -60000s >= -30000s | |
| Source: C:\Windows\System32\svchost.exe TID: 3152 | Thread sleep count: 2262 > 30 | |
| Source: C:\Windows\System32\svchost.exe TID: 3152 | Thread sleep time: -2262000s >= -30000s | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 3160 | Thread sleep count: 1931 > 30 | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 3160 | Thread sleep time: -1931000s >= -30000s | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 2808 | Thread sleep time: -180000s >= -30000s | |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 2208 | Thread sleep time: -120000s >= -30000s | |
| Source: C:\Windows\System32\dialer.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\dialer.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\services.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\services.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\lsass.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\lsass.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\svchost.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Last function: Thread delayed |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware Virtual Platform |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware-42 35 04 92 67 3a 19 1e-bc 53 01 84 57 2e e5 5c |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u |
| Source: svchost.exe, 00000014.00000000.343474746.0000000000673000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: ;;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000 |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r |
| Source: spoolsv.exe, 0000001C.00000000.348519570.00000000027AE000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000P |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u |
| Source: services.exe, 00000006.00000002.607282545.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRo |
| Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}LMEM |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}} |
| Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000 |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys |
| Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0 |
| Source: svchost.exe, 00000019.00000002.610594695.0000000004884000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910} |
| Source: svchost.exe, 00000019.00000003.533428455.000000000378A000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: stringComputer System ProductComputer System Product9BUL1B92043542-3A67-1E19-BC53-0184572EE55CVMware, Inc.None |
| Source: spoolsv.exe, 0000001C.00000000.348519570.00000000027AE000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: \DISK&VEN_VMWARE&PRO |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware, Inc.VMware Virtual PlatformNoneVMware-42 35 04 92 67 3a 19 1e-bc 53 01 84 57 2e e5 5c |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRomb8 |
| Source: svchost.exe, 00000019.00000002.609571037.0000000003658000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: WMIBinaryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910} |
| Source: services.exe, 00000006.00000002.608272793.000000000179C000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: ______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRom2accfe60-c130-11d2-b082-00a0c91efb8b\\?\PCIIDE#IDEChannel#5&35c44269&0&4#{2accfe60-c130-11d2-b082-00a0c91efb8b}15ad-07e0Internal_IDE_Channel*PNP06008 |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value) |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAW3 |
| Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0r |
| Source: WmiPrvSE.exe, 00000022.00000003.441760961.00000000003AB000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0y |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRoml8 |
| Source: svchost.exe, 00000019.00000000.347320164.0000000003E48000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Win32_ComputerSystemuser-PCWin32_ComputerSystemuser-PCOKuser-PC\userx64-based PCNormal bootVMware, Inc.VMware Virtual Platform |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
| Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0 |
| Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&2848384c&0&1.0.0 |
| Source: svchost.exe, 00000019.00000000.347411701.000000000482C000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware Virtual disk SCSI Disk Device |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD')) |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
| Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: VMware |
| Source: svchost.exe, 00000014.00000000.343599035.000000000177E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b0pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b8acpi\pnp0a05\5aroot\ms_pppoeminiport\0000root\legacy_discache\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&c0acpi\pnp0a05\23usb\vid_0e0f&pid_0003&mi_01\7&2a7d3009&0&0001pciide\idechannel\4&c5d1198&0&0acpi\pnp0a05\4&205ad762&0acpi\pnp0a05\5broot\legacy_ndproxy\0000acpi\pnp0a05\24pciide\idechannel\5&35c44269&0&5root\legacy_storflt\0000pciide\idechannel\5&35c44269&0&19root\ms_pptpminiport\0000ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25acpi\pnp0a05\40pciide\idechannel\4&c5d1198&0&1acpi\pnp0a05\5droot\legacy_tcpip\0000acpi\pnp0a05\26pciide\idechannel\5&35c44269&0&6root\ms_sstpminiport\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&a9acpi\pnp0a05\41pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b1pciide\idechannel\5&35c44269&0&2pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b9pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01 |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SVGA IIES1371 |
| Source: explorer.exe, 0000001F.00000002.604991513.00000000025E0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter')) |
| Source: svchost.exe, 00000014.00000002.602992913.0000000000210000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 1SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000 |
| Source: explorer.exe, 0000001F.00000000.349660283.00000000001D6000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7 |
| Source: svchost.exe, 00000019.00000002.609571037.00000000035A1000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: WDMClassesOfDriverMSStorageDriver_SenseDataSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910} |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_____ |
| Source: lsm.exe, 00000013.00000002.603598092.000000000038E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 1IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0 |
| Source: svchost.exe, 00000019.00000002.609805884.0000000003731000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: WMIBinaryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}ceName]me]$ |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware, Inc. |
| Source: svchost.exe, 0000001D.00000002.605471171.00000000020A3000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: DE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0 |
| Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&22b |
| Source: svchost.exe, 00000019.00000000.347207490.00000000036C0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: naryMofResourceSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910} |
| Source: services.exe, 00000006.00000002.607282545.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRom |
| Source: svchost.exe, 00000017.00000002.607596633.0000000001E2B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: _vmware&prod_virtual_disk#5 |
| Source: svchost.exe, 00000014.00000000.343599035.000000000177E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: _volsnap\0000root\legacy_ksecpkg\0000pciide\idechannel\5&35c44269&0&10acpi\pnp0a05\2froot\*teredo\0000display\default_monitor\4&10c2e2d6&0&12345678&00&0facpi\pnp0a05\4aroot\legacy_peauth\0000scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000acpi\genuineintel_-_intel64_family_6_model_85_-_intel(r)_core(tm)2_cpu_6600_@_2.40_ghz\_0acpi\pnp0a05\30acpi\pnp0a05\4broot\legacy_wanarpv6\0000root\legacy_lltdio\0000root\acpi_hal\0000pciide\idechannel\5&35c44269&0&24pci\ven_15ad&dev_0740&subsys_074015ad&rev_10\3&2b8e0b4b&0&3fpciide\idechannel\5&35c44269&0&11root\legacy_psched\0000pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&acpci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&b4acpi\pnp0a05\31pci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&bcpci\ven_15ad&dev_07a0&subsys_07a015ad&rev_01\3&2b8e0b4b&0&c4acpi\pnp0a05\4cacpi\pnp0800\4&205ad762&0root\blbdrive\0000pci\ven_8086&dev_7110&subsys_197615ad&rev_08\3&2b8e0b4b&0&38root\legacy_wdf01000\0000acpi\pnp0a05\32hdaudio\func_01&ven_15ad&dev_1975&subsys_15ad1975&rev_1001\5&8a7c |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
| Source: WmiPrvSE.exe, 00000022.00000003.441341124.00000000003FF000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SVGA II |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}w |
| Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20 |
| Source: svchost.exe, 00000017.00000002.603298774.000000000037B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
| Source: WmiPrvSE.exe, 00000022.00000003.441760961.00000000003AB000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000 |
| Source: services.exe, 00000006.00000002.608321393.00000000017C0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-1 |
| Source: svchost.exe, 00000019.00000002.603306949.00000000002EF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: VMware Virtual disk 1.0 MM* |
| Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
| Source: svchost.exe, 00000014.00000002.606686716.0000000000F60000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&0000000 |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAWE_Channel*PNP0600 |
| Source: svchost.exe, 00000019.00000000.347411701.0000000004720000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: stringComputer System ProductComputer System Product9BUL1B92043542-3A67-1E19-BC53-0184572EE55CVMware, Inc.Noney* |
| Source: WmiPrvSE.exe, 00000024.00000003.509098082.000000000027C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: select * from WMIBinaryMofResource where Name = "SCSI\\Disk&Ven_VMware&Prod_Virtual_disk\\5&22be343f&0&000000_0-{05901221-D566-11d1-B2F0-00A0C9062910}"00A0C9062910}" |
| Source: mine327.exe, 00000000.00000002.377843630.00000000029FE000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
| Source: svchost.exe, 00000014.00000002.606686716.0000000000F67000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0 |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value) |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAW |
| Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000 |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value) |
| Source: explorer.exe, 0000001F.00000002.606706574.0000000003E59000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790 |
| Source: svchost.exe, 00000014.00000002.602992913.00000000001E3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: scsi\disk&ven_vmware_&prod_vmware_virtual_s\5&22be343f&0&000000 |
| Source: svchost.exe, 00000019.00000000.346906062.0000000001170000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a |
| Source: svchost.exe, 0000001D.00000002.605471171.00000000020A3000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: ZDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____\6&373888b8&0&1.0.0272fb |
| Source: svchost.exe, 0000001D.00000002.603668650.000000000038D000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Policyagent049f198-1016-11e7-b87b-806e6f6e6963}\??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\DosDevices\D:\??\Volume{8a07945e-cd11-11ea-a1d0-806e6f6e6963}c |
| Source: svchost.exe, 00000019.00000000.347411701.000000000482C000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Win32_PnPEntityVMware Virtual disk SCSI Disk Device{4d36e967-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityDisk driveSCSI\DISK&VEN__HV5B96L&PROD_VIRTUAL_DISK\5&22BE343F&0&000000System.String[](Standard disk drives)VMware Virtual disk SCSI Disk DeviceSCSI\DISK&VEN_DN177VWB&PROD_VIRTUAL_DISK\5&22BE343F&0&000000diskOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74 |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56308-b6bf-11d0-94f2-00a0c91efb8b\\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}IDE\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____IDE\NECVMWar_VMware_SATA_CD01_______________1.00____IDE\CdRomNECVMWar_VMware_SATA_CD01_______________NECVMWar_VMware_SATA_CD01_______________1.00____GenCdRomGenCdRome8 |
| Source: svchost.exe, 00000016.00000002.605131595.0000000002100000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware')) |
| Source: services.exe, 00000006.00000000.341821779.0000000001783000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: 53f56307-b6bf-11d0-94f2-00a0c91efb8b\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&22be343f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SCSI\DiskVMware__Virtual_disk____1.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____1VMware__Virtual_disk____1GenDiskSCSI\DiskSCSI\RAWeX |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_005780F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_005780F8 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_00577D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00577D90 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_00586218 SetUnhandledExceptionFilter, | 0_2_00586218 |
| Source: C:\Users\user\Desktop\mine327.exe | Code function: 0_2_0057D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0057D2A4 |
| Source: C:\Windows\explorer.exe | Code function: 2_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, | 2_2_0000000140001160 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001F80F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess, | 6_2_001F80F8 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 6_2_001F7D90 |
| Source: C:\Windows\System32\services.exe | Code function: 6_2_001FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 6_2_001FD2A4 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_0248D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 10_2_0248D2A4 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_024880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess, | 10_2_024880F8 |
| Source: C:\Windows\System32\WerFault.exe | Code function: 10_2_02487D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 10_2_02487D90 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_009880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 12_2_009880F8 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_00987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 12_2_00987D90 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_0098D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 12_2_0098D2A4 |
| Source: C:\Windows\System32\winlogon.exe | Code function: 12_2_00996218 SetUnhandledExceptionFilter, | 12_2_00996218 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00167D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 13_2_00167D90 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_00176218 SetUnhandledExceptionFilter, | 13_2_00176218 |
| Source: C:\Windows\System32\sc.exe | Code function: 13_2_0016D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 13_2_0016D2A4 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_00207D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 15_2_00207D90 |
| Source: C:\Windows\System32\conhost.exe | Code function: 15_2_0020D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 15_2_0020D2A4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002880F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 16_2_002880F8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00287D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 16_2_00287D90 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00296218 SetUnhandledExceptionFilter, | 16_2_00296218 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_0028D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 16_2_0028D2A4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002F7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 16_2_002F7D90 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_00306218 SetUnhandledExceptionFilter, | 16_2_00306218 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_002FD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 16_2_002FD2A4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF64A6E8 SetUnhandledExceptionFilter, | 16_2_FF64A6E8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6212F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 16_2_FF6212F0 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 17_2_009C7D90 |
| Source: C:\Windows\System32\lsass.exe | Code function: 17_2_009CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 17_2_009CD2A4 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_00267D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 19_2_00267D90 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_00276218 SetUnhandledExceptionFilter, | 19_2_00276218 |
| Source: C:\Windows\System32\lsm.exe | Code function: 19_2_0026D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 19_2_0026D2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 20_2_006B7D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 20_2_006BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 20_2_006BD2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 22_2_014A7D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 22_2_014AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 22_2_014AD2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BC7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 23_2_00BC7D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00BCD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 23_2_00BCD2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 24_2_00A77D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 24_2_00A7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 24_2_00A7D2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 25_2_00C67D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 25_2_00C6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 25_2_00C6D2A4 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_002C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 26_2_002C7D90 |
| Source: C:\Windows\System32\svchost.exe | Code function: 26_2_002CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 26_2_002CD2A4 |
| Source: C:\Users\user\Desktop\mine327.exe | Memory allocated: C:\Windows\explorer.exe base: 140000000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: C60000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1140000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BE40000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BF00000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BF60000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1C020000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\mine327.exe base: 1C080000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\services.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\winlogon.exe base: 950000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\lsass.exe base: F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\lsm.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 680000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 13F0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 180000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: B90000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 110000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: FD0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\spoolsv.exe base: 1E50000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\dwm.exe base: 340000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\explorer.exe base: 2800000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\taskeng.exe base: 970000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\UI0Detect.exe base: 1B80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 330000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Users\user\Desktop\mine327.exe base: 540000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\svchost.exe base: 120000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\WerFault.exe base: 1D80000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\sc.exe base: 130000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory protected: C:\Windows\System32\conhost.exe base: 1D0000 protect: page execute and read and write | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\services.exe EIP: 1C273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\winlogon.exe EIP: 95273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\conhost.exe EIP: E273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\lsass.exe EIP: F273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\lsm.exe EIP: 1B273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 68273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 13273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 13F273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 97273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 18273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: B9273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 11273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: FD273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\spoolsv.exe EIP: 1E5273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 12273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\dwm.exe EIP: 34273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\explorer.exe EIP: 280273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\taskeng.exe EIP: 97273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\UI0Detect.exe EIP: 1B8273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1A273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 33273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1B273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\wbem\WmiPrvSE.exe EIP: 1C273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 13273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 54273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\conhost.exe EIP: 2C273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\svchost.exe EIP: 12273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\WerFault.exe EIP: 1D8273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\sc.exe EIP: 13273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: C:\Windows\System32\conhost.exe EIP: 1D273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: C6273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 1ACC273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 1BF6273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 1BFC273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Thread created: unknown EIP: 1C02273C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQueryInformationProcess: Direct from: 0x1400018E6 | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | NtResumeThread: Indirect: 0x28231E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQueryInformationProcess: Direct from: 0x140001176 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x98171F | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x981795 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x984E3C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtCreateThreadEx: Direct from: 0x14000145B | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtNotifyChangeKey: Direct from: 0x1F3862 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtMapViewOfSection: Direct from: 0x14000202B | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtSetTimer: Direct from: 0x772FA561 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtQueryInformationProcess: Direct from: 0x1F196E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQuerySystemInformation: Direct from: 0x14000155D | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtQueryVolumeInformationFile: Direct from: 0x1F241C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtRequestWaitReplyPort: Direct from: 0x1400024AA | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtMapViewOfSection: Direct from: 0x989E4F | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtSetInformationProcess: Direct from: 0x1F1A66 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtReadFile: Direct from: 0x1F2309 | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | NtEnumerateValueKey: Indirect: 0x16293D | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtClose: Direct from: 0x9C173A | |
| Source: C:\Windows\System32\lsass.exe | NtMapViewOfSection: Direct from: 0xF2861 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtProtectVirtualMemory: Direct from: 0x1400020B4 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtDelayExecution: Direct from: 0x981ADD | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | NtEnumerateValueKey: Indirect: 0x28293D | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenSection: Direct from: 0x98F43A | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | NtQuerySystemInformation: Indirect: 0x248205D | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtClose: Direct from: 0x1F173A | |
| Source: C:\Windows\System32\dialer.exe | NtClose: Direct from: 0x140002321 | |
| Source: C:\Windows\System32\dialer.exe | NtCreateKey: Direct from: 0x140002444 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtEnumerateValueKey: Direct from: 0x98290E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtFsControlFile: Direct from: 0x140002208 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x983830 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtQueryDirectoryFile: Direct from: 0x1F23AE | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtCreateKey: Direct from: 0x1400023C4 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtReadVirtualMemory: Direct from: 0x1400015B0 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtProtectVirtualMemory: Direct from: 0x1400020E4 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtReadVirtualMemory: Direct from: 0x140001FAE | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x9816E5 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQueryInformationProcess: Direct from: 0x14000121C | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtResumeThread: Direct from: 0x1F231E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAdjustPrivilegesToken: Direct from: 0x14000230E | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x98180B | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtClose: Direct from: 0x9818A6 | |
| Source: C:\Windows\System32\winlogon.exe | NtRequestWaitReplyPort: Direct from: 0x983311 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x985E6C | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtClose: Direct from: 0x140001901 | |
| Source: C:\Windows\System32\dialer.exe | NtClose: Direct from: 0x140001623 | |
| Source: C:\Windows\System32\sc.exe | NtResumeThread: Indirect: 0x16231E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtFsControlFile: Direct from: 0x140002C97 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAllocateVirtualMemory: Direct from: 0x14000192A | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x98175A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtCreateFile: Direct from: 0x140001FDE | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtCreateNamedPipeFile: Direct from: 0x140001C6D | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | NtResumeThread: Indirect: 0x248231E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQuerySystemInformation: Direct from: 0x140002B9F | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | NtDeviceIoControlFile: Indirect: 0x162B9D | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x981881 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAllocateVirtualMemory: Direct from: 0x140001657 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAllocateVirtualMemory: Direct from: 0x140001414 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtClose: Direct from: 0x1400014B1 | |
| Source: C:\Windows\System32\lsass.exe | NtQuerySystemInformation: Direct from: 0x9C205D | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | NtEnumerateValueKey: Indirect: 0x28290E | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtResumeThread: Direct from: 0x9C3311 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtRequestWaitReplyPort: Direct from: 0x1400024EE | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAllocateVirtualMemory: Direct from: 0x140002335 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtAllocateVirtualMemory: Direct from: 0x772FA36E | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtRequestWaitReplyPort: Direct from: 0x1F3311 | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | NtQueryDirectoryFile: Indirect: 0x24823AE | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtFsControlFile: Direct from: 0x140002C30 | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | NtDeviceIoControlFile: Indirect: 0x282B9D | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x9837F4 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x9817D0 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtRequestWaitReplyPort: Direct from: 0x140002081 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtClose: Direct from: 0x98173A | |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x98565F | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtReadVirtualMemory: Direct from: 0x1400015E7 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtOpenSection: Direct from: 0x1FF43A | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x9816B8 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtCreateFile: Direct from: 0x1F22C2 | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | NtQuerySystemInformation: Indirect: 0x28205D | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtAllocateVirtualMemory: Direct from: 0x983AA5 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtProtectVirtualMemory: Direct from: 0x140001437 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtDelayExecution: Direct from: 0x9C1ADD | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtOpenSection: Direct from: 0x9CF43A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtSetSecurityObject: Direct from: 0x140002404 | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtMapViewOfSection: Direct from: 0x1C2861 | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtProtectVirtualMemory: Direct from: 0x952861 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtRequestWaitReplyPort: Direct from: 0x14000250F | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtMapViewOfSection: Direct from: 0x1F9E4F | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtEnumerateValueKey: Direct from: 0x98293D | Jump to behavior |
| Source: C:\Windows\System32\winlogon.exe | NtAllocateVirtualMemory: Direct from: 0x9527DD | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | NtMapViewOfSection: Direct from: 0x9C9E4F | Jump to behavior |
| Source: C:\Windows\System32\services.exe | NtDelayExecution: Direct from: 0x1F1ADD | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtSetValueKey: Direct from: 0x140002475 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtProtectVirtualMemory: Direct from: 0x140001BF1 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtDeviceIoControlFile: Direct from: 0x1400023EB | Jump to behavior |
| Source: C:\Windows\System32\sc.exe | NtEnumerateValueKey: Indirect: 0x16290E | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtDelayExecution: Direct from: 0x140002517 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtClose: Direct from: 0x14000247F | |
| Source: C:\Windows\System32\winlogon.exe | NtOpenKeyEx: Direct from: 0x981846 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtReadFile: Direct from: 0x140002C53 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | NtQuerySystemInformation: Direct from: 0x1400022D6 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 140000000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\services.exe base: 1C0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\winlogon.exe base: 950000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsass.exe base: F0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsm.exe base: 1B0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 680000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 130000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 13F0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 970000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 180000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: B90000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 110000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: FD0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\spoolsv.exe base: 1E50000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 120000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dwm.exe base: 340000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\explorer.exe base: 2800000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\taskeng.exe base: 970000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\UI0Detect.exe base: 1B80000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 330000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 540000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 120000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1D80000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\sc.exe base: 130000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 1D0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: C60000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1140000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BE40000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF00000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF60000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1C020000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1C080000 value starts with: 4D5A | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 140000000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 140001000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 140008000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 14000A000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 1402BD000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 1402BE000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 1402BF000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 1402C0000 | Jump to behavior |
| Source: C:\Users\user\Desktop\mine327.exe | Memory written: C:\Windows\explorer.exe base: 7FFFFFDB010 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\services.exe base: 1C0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\winlogon.exe base: 950000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsass.exe base: F0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: E0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsm.exe base: 1B0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 680000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 130000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 13F0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 970000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 180000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: B90000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 110000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: FD0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\spoolsv.exe base: 1E50000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 120000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dwm.exe base: 340000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\explorer.exe base: 2800000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\taskeng.exe base: 970000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\UI0Detect.exe base: 1B80000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1A0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 330000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1B0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1C0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE base: 130000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 540000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe base: 2C0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 120000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1D80000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\sc.exe base: 130000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 1D0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: C60000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1140000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1ACC0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1B4A0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BE40000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BEA0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF00000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BF60000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1BFC0000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1C020000 | Jump to behavior |
| Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\mine327.exe base: 1C080000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 1BB0000 | Jump to behavior |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF634EF4 SHBindToParent, | 16_2_FF634EF4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6B9EF0 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree, | 16_2_FF6B9EF0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF642ED0 SHBindToParent, | 16_2_FF642ED0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A8D58 SHBindToParent,#460,SHStrDupW, | 16_2_FF6A8D58 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63FDA0 SHBindToParent, | 16_2_FF63FDA0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF69AD98 SetForegroundWindow,SHBindToObject,#279,SHGetPathFromIDListW,#388, | 16_2_FF69AD98 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6B6CD8 #21,SHBindToObject,#155,SHBindToObject,SHGetIDListFromObject,#484,#155,#155,#155, | 16_2_FF6B6CD8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6B9B64 RpcBindingFree,CloseHandle,CloseHandle,NdrClientCall3,LocalFree, | 16_2_FF6B9B64 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6B6B20 #21,SHBindToObject,#155,SHBindToObject,SHGetIDListFromObject,#155,#155,#155, | 16_2_FF6B6B20 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6AFBDC SHBindToParent, | 16_2_FF6AFBDC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF665A40 SHBindToParent,#571,DestroyWindow, | 16_2_FF665A40 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62F9CC SHBindToFolderIDListParent, | 16_2_FF62F9CC |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF62A8E8 SHBindToFolderIDListParent,#787,SHStrDupW,PathParseIconLocationW,Shell_GetCachedImageIndexW,CoTaskMemFree,memset,PathIsNetworkPathW,AssocQueryKeyW,Shell_GetCachedImageIndexW,SHGetValueW,RegCloseKey,PathParseIconLocationW,Shell_GetCachedImageIndexW, | 16_2_FF62A8E8 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF65F750 SetForegroundWindow,#89,SHBindToParent,CreatePopupMenu,LoadStringW,AppendMenuW,LoadStringW,AppendMenuW,TrackPopupMenu,DestroyMenu,#155,#100,SHGetFolderPathW,AppendMenuW,LoadStringW,AppendMenuW,#158,memset,SHGetPathFromIDListA,SHGetPathFromIDListW,SHGetKnownFolderIDList, | 16_2_FF65F750 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF634720 SHBindToParent,DestroyIcon,SHParseDisplayName,SHBindToParent,DestroyIcon,#155, | 16_2_FF634720 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF63F798 #89,SHBindToObject,CoTaskMemFree,#155, | 16_2_FF63F798 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6506F4 SHBindToParent, | 16_2_FF6506F4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF66941C GetClientRect,SHGetKnownFolderIDList,SHBindToParent,SendMessageCallbackW,#155,CoTaskMemFree,DestroyIcon, | 16_2_FF66941C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF67437C SHGetIDListFromObject,#16,#17,#155,SHBindToParent,#199, | 16_2_FF67437C |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF635320 SHGetKnownFolderIDList,SHBindToParent,CoCreateInstance,#487,StrCmpW,CoTaskMemFree,PathParseIconLocationW,#460,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,SendMessageCallbackW,#155,CoTaskMemFree,DestroyIcon, | 16_2_FF635320 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6BC3E0 #278,CoCreateInstance,SendMessageW,SHBindToParent,SendMessageW,#571,SendMessageW,DestroyWindow, | 16_2_FF6BC3E0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6D73F4 SHBindToObject,#155, | 16_2_FF6D73F4 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF672398 memset,StringFromGUID2,#155,SHBindToObject, | 16_2_FF672398 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6D7270 #25,#155,SHBindToObject,#18, | 16_2_FF6D7270 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6A9110 SHGetKnownFolderIDList,SHBindToObject,#25,#155,#155,SHGetKnownFolderIDList,#155, | 16_2_FF6A9110 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF6741F0 #155,#155,SHBindToObject, | 16_2_FF6741F0 |
| Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 16_2_FF674000 SHGetIDListFromObject,SHBindToObject,CoTaskMemFree,CoTaskMemFree,SHCreateItemFromIDList,CoTaskMemFree, | 16_2_FF674000 |
Edit tour
mine327.exe (PID: 1436 cmdline: 
explorer.exe (PID: 2996 cmdline: 
dialer.exe (PID: 2096 cmdline: 
WerFault.exe (PID: 1096 cmdline: 
winlogon.exe (PID: 412 cmdline: 
conhost.exe (PID: 1640 cmdline: 
UI0Detect.exe (PID: 1528 cmdline: 
WmiPrvSE.exe (PID: 1820 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node