Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown | TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: unknown | TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: unknown | TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: providernvidia.exe, 00000006.00000002.463740202.000000000079C000.00000004.00000020.sdmp | String found in binary or memory: http://173.230.145.224:8080/ |
Source: providernvidia.exe, 00000006.00000002.463740202.000000000079C000.00000004.00000020.sdmp | String found in binary or memory: http://173.230.145.224:8080/_ |
Source: providernvidia.exe, 00000006.00000003.279590439.000000000079C000.00000004.00000001.sdmp | String found in binary or memory: http://193.169.54.12:8080/ |
Source: providernvidia.exe, 00000006.00000002.463769550.00000000007A7000.00000004.00000020.sdmp | String found in binary or memory: http://193.169.54.12:8080/3 |
Source: providernvidia.exe, 00000006.00000003.279590439.000000000079C000.00000004.00000001.sdmp | String found in binary or memory: http://193.169.54.12:8080/Z |
Source: providernvidia.exe, 00000006.00000002.463740202.000000000079C000.00000004.00000020.sdmp | String found in binary or memory: http://79.172.249.82:443/ |
Source: providernvidia.exe, 00000006.00000002.463740202.000000000079C000.00000004.00000020.sdmp | String found in binary or memory: http://79.172.249.82:443/1 |
Source: svchost.exe, 0000000A.00000002.465953510.000002A4BBE0C000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 0000000A.00000002.465953510.000002A4BBE0C000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 0000000A.00000002.465953510.000002A4BBE0C000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 0000000A.00000002.465483390.000002A4BBD00000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 00000011.00000002.309051305.000001E921613000.00000004.00000001.sdmp | String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 0000000E.00000002.463912336.000001E2FBC3E000.00000004.00000001.sdmp | String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 0000000E.00000002.463912336.000001E2FBC3E000.00000004.00000001.sdmp | String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 0000000E.00000002.463912336.000001E2FBC3E000.00000004.00000001.sdmp | String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 0000000E.00000002.463912336.000001E2FBC3E000.00000004.00000001.sdmp | String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000000E.00000002.463912336.000001E2FBC3E000.00000004.00000001.sdmp | String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000011.00000003.308755545.000001E921649000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 00000011.00000002.309100617.000001E92163D000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 00000011.00000003.308742105.000001E92164B000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000011.00000003.287007711.000001E921630000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 00000011.00000002.309100617.000001E92163D000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 00000011.00000003.287007711.000001E921630000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 00000011.00000002.309109992.000001E921642000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 00000011.00000002.309109992.000001E921642000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 00000011.00000003.308773313.000001E921640000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 00000011.00000003.308755545.000001E921649000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308742105.000001E92164B000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308742105.000001E92164B000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308724185.000001E921662000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 00000011.00000003.308735974.000001E921660000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 00000011.00000003.287007711.000001E921630000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.309100617.000001E92163D000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000011.00000003.287007711.000001E921630000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000011.00000002.309100617.000001E92163D000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 00000011.00000002.309051305.000001E921613000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.309100617.000001E92163D000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308773313.000001E921640000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308773313.000001E921640000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000011.00000003.287007711.000001E921630000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000011.00000002.309091104.000001E921639000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 00000011.00000003.308742105.000001E92164B000.00000004.00000001.sdmp | String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: Yara match | File source: 9fdUNaHzLv.exe, type: SAMPLE |
Source: Yara match | File source: 00000006.00000000.203362622.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.204527300.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.463908181.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.203725030.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.202520329.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.196824116.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.194691427.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000000.195820099.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.providernvidia.exe.d10000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: 9fdUNaHzLv.exe, type: SAMPLE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 5.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 6.2.providernvidia.exe.d10000.1.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 5.2.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 2.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 6.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 2.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 9fdUNaHzLv.exe, type: SAMPLE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 5.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 6.2.providernvidia.exe.d10000.1.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 5.2.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 2.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 6.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 2.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Mutant created: \Sessions\1\BaseNamedObjects\M3E49A257 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \BaseNamedObjects\Local\SM0:5152:120:WilError_01 |
Source: C:\Windows\SysWOW64\providernvidia.exe | Mutant created: \BaseNamedObjects\Global\I6F6A638B |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\M6F6A638B |
Source: C:\Windows\SysWOW64\providernvidia.exe | Mutant created: \BaseNamedObjects\M7EB4FDDE |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\I6F6A638B |
Source: unknown | Process created: C:\Users\user\Desktop\9fdUNaHzLv.exe 'C:\Users\user\Desktop\9fdUNaHzLv.exe' |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Process created: C:\Users\user\Desktop\9fdUNaHzLv.exe C:\Users\user\Desktop\9fdUNaHzLv.exe |
Source: unknown | Process created: C:\Windows\SysWOW64\providernvidia.exe C:\Windows\SysWOW64\providernvidia.exe |
Source: C:\Windows\SysWOW64\providernvidia.exe | Process created: C:\Windows\SysWOW64\providernvidia.exe C:\Windows\SysWOW64\providernvidia.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
Source: unknown | Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Process created: C:\Users\user\Desktop\9fdUNaHzLv.exe C:\Users\user\Desktop\9fdUNaHzLv.exe |
Source: C:\Windows\SysWOW64\providernvidia.exe | Process created: C:\Windows\SysWOW64\providernvidia.exe C:\Windows\SysWOW64\providernvidia.exe |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: svchost.exe, 0000000A.00000002.466244484.000002A4BBE61000.00000004.00000001.sdmp | Binary or memory string: "@Hyper-V RAW |
Source: svchost.exe, 00000007.00000002.221819030.0000011003F40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.283724026.0000026CEF060000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.465548228.000001E2FC790000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.308122256.000001C80BF40000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: providernvidia.exe, 00000006.00000002.463769550.00000000007A7000.00000004.00000020.sdmp, svchost.exe, 0000000A.00000002.466184270.000002A4BBE4C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.463400537.000001D2FDC3C000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 0000000D.00000002.463317483.000001D2FDC02000.00000004.00000001.sdmp | Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService |
Source: svchost.exe, 00000007.00000002.221819030.0000011003F40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.283724026.0000026CEF060000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.465548228.000001E2FC790000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.308122256.000001C80BF40000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 00000007.00000002.221819030.0000011003F40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.283724026.0000026CEF060000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.465548228.000001E2FC790000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.308122256.000001C80BF40000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 0000000A.00000002.463565249.000002A4B662A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW`C |
Source: svchost.exe, 0000000D.00000002.463400537.000001D2FDC3C000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.464006095.000001E2FBC69000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.463746343.00000142C402A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000007.00000002.221819030.0000011003F40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.283724026.0000026CEF060000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.465548228.000001E2FC790000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.308122256.000001C80BF40000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\9fdUNaHzLv.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\SysWOW64\providernvidia.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |
Source: Yara match | File source: 9fdUNaHzLv.exe, type: SAMPLE |
Source: Yara match | File source: 00000006.00000000.203362622.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.204527300.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.463908181.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.203725030.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000000.202520329.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.196824116.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.194691427.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000000.195820099.0000000000D11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.providernvidia.exe.d10000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 5.2.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.0.providernvidia.exe.d10000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.9fdUNaHzLv.exe.d10000.0.unpack, type: UNPACKEDPE |