Source: |
Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.617874720.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.566464815.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.623674037.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.591039098.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.623704883.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.623698742.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.610136610.000000006DE1A000.00000002.00020000.sdmp, vqirYMB1c4.dll |
Source: Yara match |
File source: vqirYMB1c4.dll, type: SAMPLE |
Source: Yara match |
File source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: vqirYMB1c4.dll, type: SAMPLE |
Source: Yara match |
File source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDF84BB |
0_2_6DDF84BB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDD1C3C |
0_2_6DDD1C3C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DE067D9 |
0_2_6DE067D9 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDD3E00 |
0_2_6DDD3E00 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDE5150 |
0_2_6DDE5150 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDEE079 |
0_2_6DDEE079 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DE00396 |
0_2_6DE00396 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DE102BC |
0_2_6DE102BC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDF84BB |
2_2_6DDF84BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDD1C3C |
2_2_6DDD1C3C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DE067D9 |
2_2_6DE067D9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDD3E00 |
2_2_6DDD3E00 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDE5150 |
2_2_6DDE5150 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDEE079 |
2_2_6DDEE079 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DE00396 |
2_2_6DE00396 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DE102BC |
2_2_6DE102BC |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2540:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:468:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:456:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Connectdark |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Mindlake |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Porthigh |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Problemscale |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,WingGrass |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Connectdark |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Mindlake |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Porthigh |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,Problemscale |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\vqirYMB1c4.dll,WingGrass |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: |
Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.617874720.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.566464815.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.623674037.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.591039098.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.623704883.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.623698742.000000006DE1A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.610136610.000000006DE1A000.00000002.00020000.sdmp, vqirYMB1c4.dll |
Source: Yara match |
File source: vqirYMB1c4.dll, type: SAMPLE |
Source: Yara match |
File source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDD07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6DDD07A7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDF1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6DDF1F6D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6DDD0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6DDD0288 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDD07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6DDD07A7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDF1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6DDF1F6D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6DDD0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_6DDD0288 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\vqirYMB1c4.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: loaddll32.exe, 00000000.00000002.586963868.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.558082654.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.618046183.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.579427041.0000000003830000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.618512859.0000000003710000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.618413676.0000000003A20000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.574904537.0000000003AA0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_6DE0DD96 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_6DE0E518 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6DE0DF65 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_6DE0E6EC |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6DE0E61F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6DDCF1B7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_6DE0E19F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6DE03952 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6DE0E112 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6DE0E077 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: EnumSystemLocalesW, |
0_2_6DE0E00E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6DE0E3EF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: ___crtGetLocaleInfoEx, |
0_2_6DDCF364 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoW, |
0_2_6DE04323 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
2_2_6DE0DD96 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_6DE0E518 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
2_2_6DE0DF65 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_6DE0E6EC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
2_2_6DE0E61F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
2_2_6DDCF1B7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_6DE0E19F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
2_2_6DE03952 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
2_2_6DE0E112 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
2_2_6DE0E077 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: EnumSystemLocalesW, |
2_2_6DE0E00E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
2_2_6DE0E3EF |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: ___crtGetLocaleInfoEx, |
2_2_6DDCF364 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoW, |
2_2_6DE04323 |
Source: Yara match |
File source: vqirYMB1c4.dll, type: SAMPLE |
Source: Yara match |
File source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: vqirYMB1c4.dll, type: SAMPLE |
Source: Yara match |
File source: 0.2.loaddll32.exe.6dd90000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 26.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 21.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 13.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 16.2.rundll32.exe.6dd90000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.603138321.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.623198627.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.623197671.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001A.00000002.591215493.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000D.00000002.590997709.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.558142620.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.623150210.000000006DD91000.00000020.00020000.sdmp, type: MEMORY |