Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c ipconfig /all |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c systeminfo |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c nltest /domain_trusts |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c net view /all /domain |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c nltest /domain_trusts /all_trusts |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c net view /all |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &ipconfig= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c net group "Domain Admins" /domain |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\wbem\wmic.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c net config workstation |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /c whoami /groups |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\Windows\System32\cmd.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &systeminfo= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &domain_trusts= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &domain_trusts_all= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &net_view_all_domain= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &net_view_all= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &net_group= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &wmic= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &net_config_ws= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &net_wmic_av= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &whoami_group= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "pid": |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%d", |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "proc": |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%s", |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "subproc": [ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &proclist=[ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "pid": |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%d", |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "proc": |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%s", |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "subproc": [ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &desklinks=[ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: *.* |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%s" |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Update_%x |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Custom_update |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: .dll |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: .exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Updater |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%s" |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: rundll32.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: "%s", %s %s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: runnung |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: :wtfbbq |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %s%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: files/bp.dat |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %s\%d.dll |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %d.dat |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %s\%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: init -zzzz="%s\%s" |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: front |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: /files/ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Facial |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: !"$%&()*wp |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: .exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Content-Type: application/x-www-form-urlencoded |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: POST |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: GET |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: curl/7.88.1 |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: CLEARURL |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: URLS |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: COMMAND |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: ERROR |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6 |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: <html> |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: <!DOCTYPE |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %s%d.dll |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: 12345 |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &stiller= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %s%d.exe |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: LogonTrigger |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %x%x |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: TimeTrigger |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: PT0H%02dM |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %04d-%02d-%02dT%02d:%02d:%02d |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &mac= |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %02x |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: :%02x |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: PT0S |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &computername=%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: &domain=%s |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: \*.dll |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %04X%04X%04X%04X%08X%04X |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: %04X%04X%04X%04X%08X%04X |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: \Registry\Machine\ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: https://jarinamaers.shop/live/ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: https://wrankaget.site/live/ |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: AppData |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Desktop |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Startup |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Personal |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Local AppData |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: \update_data.dat |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: URLS |
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack |
String decryptor: URLS|%d|%s |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr |
String found in binary or memory: ftp://ftp%2desktop.ini |
Source: rundll32.exe |
String found in binary or memory: http://dr.f.360.cn/scan |
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr |
String found in binary or memory: http://dr.f.360.cn/scanlist |
Source: rundll32.exe |
String found in binary or memory: http://pconf.f.360.cn/safe_update.php |
Source: rundll32.exe |
String found in binary or memory: http://pscan.f.360.cn/safe_update.php |
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr |
String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie |
Source: rundll32.exe |
String found in binary or memory: http://sconf.f.360.cn/client_security_conf |
Source: Amcache.hve.8.dr |
String found in binary or memory: http://upx.sf.net |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/ |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/g |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/live/ |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/live/) |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/live/U |
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://grizmotras.com/live/p |
Source: rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/ |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/7 |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/7- |
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/live/ |
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/live/& |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/live/4K& |
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/live/dOIDInfo |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/n |
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://jarinamaers.shop/rs |
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://pewwhranet.com/live/ |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C78C0 NtReadFile, |
4_2_00000203431C78C0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431CB0C4 NtOpenKey,RtlpNtOpenKey, |
4_2_00000203431CB0C4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7B40 NtFreeVirtualMemory, |
4_2_00000203431C7B40 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431CAD34 NtAllocateVirtualMemory, |
4_2_00000203431CAD34 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C378C NtClose, |
4_2_00000203431C378C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7588 RtlInitUnicodeString,NtCreateFile,NtClose, |
4_2_00000203431C7588 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C77B0 RtlInitUnicodeString,NtCreateFile, |
4_2_00000203431C77B0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, |
4_2_00000203431CB1D4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C79C8 NtClose, |
4_2_00000203431C79C8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, |
4_2_00000203431C463C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7A54 NtWriteFile, |
4_2_00000203431C7A54 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431D0AC0 NtFreeVirtualMemory, |
4_2_00000203431D0AC0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7ACC NtClose, |
4_2_00000203431C7ACC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431D0AF0 NtWriteFile, |
4_2_00000203431D0AF0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7704 NtQueryInformationFile, |
4_2_00000203431C7704 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431CCB54 NtDelayExecution, |
4_2_00000203431CCB54 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C745C RtlInitUnicodeString,NtOpenFile,NtClose, |
4_2_00000203431C745C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431D0A78 NtClose, |
4_2_00000203431D0A78 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C7694 RtlInitUnicodeString,NtDeleteFile, |
4_2_00000203431C7694 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431D0A90 NtDeleteFile, |
4_2_00000203431D0A90 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, |
9_2_000002238013B1D4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, |
9_2_000002238013463C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137A54 NtWriteFile, |
9_2_0000022380137A54 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013B0C4 NtOpenKey,RtlpNtOpenKey, |
9_2_000002238013B0C4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013AD34 NtAllocateVirtualMemory, |
9_2_000002238013AD34 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137B40 NtFreeVirtualMemory, |
9_2_0000022380137B40 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013CB54 NtDelayExecution, |
9_2_000002238013CB54 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013378C NtClose, |
9_2_000002238013378C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_00000223801377B0 RtlInitUnicodeString,NtCreateFile, |
9_2_00000223801377B0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_00000223801379C8 NtClose, |
9_2_00000223801379C8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_000002238013745C RtlInitUnicodeString,NtOpenFile,NtClose, |
9_2_000002238013745C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380140A78 NtClose, |
9_2_0000022380140A78 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137694 RtlInitUnicodeString,NtDeleteFile, |
9_2_0000022380137694 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380140A90 NtDeleteFile, |
9_2_0000022380140A90 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380140AC0 NtFreeVirtualMemory, |
9_2_0000022380140AC0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_00000223801378C0 NtReadFile, |
9_2_00000223801378C0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137ACC NtClose, |
9_2_0000022380137ACC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137704 NtQueryInformationFile, |
9_2_0000022380137704 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380137588 RtlInitUnicodeString,NtCreateFile,NtClose, |
9_2_0000022380137588 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180017FE8 |
3_2_0000000180017FE8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006DFF4 |
3_2_000000018006DFF4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800220D8 |
3_2_00000001800220D8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018007C140 |
3_2_000000018007C140 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180060174 |
3_2_0000000180060174 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018008023C |
3_2_000000018008023C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018000834C |
3_2_000000018000834C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006C470 |
3_2_000000018006C470 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800784E0 |
3_2_00000001800784E0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800764F0 |
3_2_00000001800764F0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180060578 |
3_2_0000000180060578 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180010580 |
3_2_0000000180010580 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018004E5DC |
3_2_000000018004E5DC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180062600 |
3_2_0000000180062600 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180002610 |
3_2_0000000180002610 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180004638 |
3_2_0000000180004638 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018004A650 |
3_2_000000018004A650 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006E760 |
3_2_000000018006E760 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800647B0 |
3_2_00000001800647B0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018007E7C7 |
3_2_000000018007E7C7 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180076930 |
3_2_0000000180076930 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180062954 |
3_2_0000000180062954 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006A994 |
3_2_000000018006A994 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006E9FC |
3_2_000000018006E9FC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180082A18 |
3_2_0000000180082A18 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180072A27 |
3_2_0000000180072A27 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180010B58 |
3_2_0000000180010B58 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180026C84 |
3_2_0000000180026C84 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018001ECF4 |
3_2_000000018001ECF4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180008E20 |
3_2_0000000180008E20 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180052FD8 |
3_2_0000000180052FD8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018003AFE8 |
3_2_000000018003AFE8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018005D014 |
3_2_000000018005D014 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006F0B4 |
3_2_000000018006F0B4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800630CC |
3_2_00000001800630CC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018005912C |
3_2_000000018005912C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018004B1A4 |
3_2_000000018004B1A4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180049278 |
3_2_0000000180049278 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018007B2D0 |
3_2_000000018007B2D0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018002B2EC |
3_2_000000018002B2EC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018006D3D4 |
3_2_000000018006D3D4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800033E0 |
3_2_00000001800033E0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180075480 |
3_2_0000000180075480 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800694A0 |
3_2_00000001800694A0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018005958C |
3_2_000000018005958C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800576DC |
3_2_00000001800576DC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800097E0 |
3_2_00000001800097E0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800277FC |
3_2_00000001800277FC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018002D964 |
3_2_000000018002D964 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180073B60 |
3_2_0000000180073B60 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018007BBB0 |
3_2_000000018007BBB0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018001BC38 |
3_2_000000018001BC38 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018005DD18 |
3_2_000000018005DD18 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180073DF0 |
3_2_0000000180073DF0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180011DF0 |
3_2_0000000180011DF0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018005BE6C |
3_2_000000018005BE6C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_000000018004FF88 |
3_2_000000018004FF88 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_00000203431C1030 |
4_2_00000203431C1030 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 9_2_0000022380131030 |
9_2_0000022380131030 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 452 |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 472 |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c ipconfig /all |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig /all |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c systeminfo |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\systeminfo.exe systeminfo |
|
Source: C:\Windows\System32\systeminfo.exe |
Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c net view /all /domain |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\net.exe net view /all /domain |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c ipconfig /all |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c systeminfo |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe /c net view /all /domain |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\ipconfig.exe ipconfig /all |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\systeminfo.exe systeminfo |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\net.exe net view /all /domain |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\ipconfig.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\System32\ipconfig.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\ipconfig.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: fastprox.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: ncobjapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe |
Section loaded: esscli.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: logoncli.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: ntdsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: logoncli.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\nltest.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: browcli.dll |
Jump to behavior |
Source: C:\Windows\System32\net.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\systeminfo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\systeminfo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\systeminfo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\systeminfo.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef& |
Source: rundll32.exe, 00000004.00000002.2040462096.0000020342FFE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: rod_VMware_SATA_CD00 |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.8.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.8.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.8.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.8.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFED9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.8.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.8.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: rundll32.exe, 00000009.00000002.3284572654.00000223820D0000.00000040.00001000.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No |
Source: Amcache.hve.8.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.8.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWU |
Source: Amcache.hve.8.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.8.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.8.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.8.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.8.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.8.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.8.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.8.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.8.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.8.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.8.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.8.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR |
Source: Yara match |
File source: decrypted.memstr, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR |
Source: Yara match |
File source: decrypted.memstr, type: MEMORYSTR |