Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.484931733.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://94.140.115.8/37 |
Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://94.140.115.8/drew/NiEEiC_2F3/2h7kr_2B2M1EBpHcH/ENyHLalFXmOl/_2FTW0ecUVe/3N7nldlK89kw4y/VYeID7 |
Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://94.140.115.8/drew/lAbS1TW8Ry8K_2Fy_2F02/IsWfDHUCh87tGSw4/6lgCxLe1Qs4WPGx/DknDiIGwAkcSSAjTq_/2 |
Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 00000012.00000003.500324132.00000182D8F5C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: rundll32.exe, 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.140.115.8 |
Source: Yara match |
File source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00EF4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
4_2_00EF4321 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00EF190C GetProcAddress,NtCreateSection,memset, |
4_2_00EF190C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00EF6D0A NtMapViewOfSection, |
4_2_00EF6D0A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00EF84C1 NtQueryVirtualMemory, |
4_2_00EF84C1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F00DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
4_2_008F00DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008FA806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
4_2_008FA806 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F61AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
4_2_008F61AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008E710A GetProcAddress,NtCreateSection,memset, |
4_2_008E710A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F7950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
4_2_008F7950 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F5312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
4_2_008F5312 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F2331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
4_2_008F2331 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008E74AE NtQueryInformationProcess, |
4_2_008E74AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008EC431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
4_2_008EC431 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F6DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, |
4_2_008F6DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008FBE80 NtMapViewOfSection, |
4_2_008FBE80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F0782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
4_2_008F0782 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008E10C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
4_2_008E10C7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F3829 NtQuerySystemInformation,RtlNtStatusToDosError, |
4_2_008F3829 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008FEAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
4_2_008FEAC5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008F5220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
4_2_008F5220 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008E64C4 memset,NtQueryInformationProcess, |
4_2_008E64C4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008E36BB NtGetContextThread,RtlNtStatusToDosError, |
4_2_008E36BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008EB7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
4_2_008EB7D5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_008ED77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
4_2_008ED77A |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dgvy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dgvy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP" |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a97fea05c8.pdf.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jehbycm -value gp; new-alias -name tyfittgwsr -value iex; tyfittgwsr ([System.Text.Encoding]::ASCII.GetString((jehbycm "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pyir2nwc\pyir2nwc.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vx43imot\vx43imot.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4ECA.tmp" "c:\Users\user\AppData\Local\Temp\pyir2nwc\CSC3492E89F885A4D28ABE1C8363667B7D.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B2B.tmp" "c:\Users\user\AppData\Local\Temp\vx43imot\CSCE0D7D73128344F6AB96E56EC2E032.TMP" |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a97fea05c8.pdf.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: Yara match |
File source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: mshta.exe, 00000011.00000003.496398794.000001B1A0BA4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\b |
Source: explorer.exe, 0000001B.00000000.574335319.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.574335319.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d |
Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: RuntimeBroker.exe, 00000020.00000000.813259722.000002BFD4858000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I |
Source: rundll32.exe, 00000004.00000002.600414567.0000000000B43000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.600473682.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.484939842.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 0000001B.00000000.587271714.000000000807C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 0000001B.00000000.563226300.00000000042EE000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^ |
Source: explorer.exe, 0000001B.00000000.608751295.00000000042A0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O |
Source: Yara match |
File source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424373972.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424240322.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.530255853.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475301685.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000012.00000003.571518194.00000182D98EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424606218.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545160730.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.472906954.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.545084241.00000267B3B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424163423.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424658030.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424644302.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424536633.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.476686328.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.424457867.0000000004EC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3340, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 5008, type: MEMORYSTR |
Source: Yara match |
File source: 4.2.rundll32.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.48e94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4dca4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e76b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.3.rundll32.exe.4e494a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.601015727.0000000004B4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.543939686.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.599055996.00000000048E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.542346452.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.599465657.00000000008E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475223060.0000000004DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000000.544562349.00000000009F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.475254135.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |