Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: unknown | TCP traffic detected without corresponding DNS query: 37.0.14.198 |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000002.299907239.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.fonts.com |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.tiro.com |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.typography.netD |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: Yara match | File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR |
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0250C364 | 0_2_0250C364 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0250E730 | 0_2_0250E730 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0250E720 | 0_2_0250E720 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB0510 | 0_2_06FB0510 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB90E8 | 0_2_06FB90E8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB5168 | 0_2_06FB5168 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB0F08 | 0_2_06FB0F08 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB1DF8 | 0_2_06FB1DF8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB8A40 | 0_2_06FB8A40 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB46EC | 0_2_06FB46EC |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB46D1 | 0_2_06FB46D1 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB4693 | 0_2_06FB4693 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB8490 | 0_2_06FB8490 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB847F | 0_2_06FB847F |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB45E8 | 0_2_06FB45E8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB45D8 | 0_2_06FB45D8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2578 | 0_2_06FB2578 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB0500 | 0_2_06FB0500 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB43C8 | 0_2_06FB43C8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB43B9 | 0_2_06FB43B9 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB4188 | 0_2_06FB4188 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB4179 | 0_2_06FB4179 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB515B | 0_2_06FB515B |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB0EF9 | 0_2_06FB0EF9 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB3F80 | 0_2_06FB3F80 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB3F71 | 0_2_06FB3F71 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB5CE0 | 0_2_06FB5CE0 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2CD8 | 0_2_06FB2CD8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2CC8 | 0_2_06FB2CC8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB5CAD | 0_2_06FB5CAD |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2C91 | 0_2_06FB2C91 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB1DAD | 0_2_06FB1DAD |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2AD8 | 0_2_06FB2AD8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB2AC9 | 0_2_06FB2AC9 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB8A30 | 0_2_06FB8A30 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB38D8 | 0_2_06FB38D8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB38D7 | 0_2_06FB38D7 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB38C8 | 0_2_06FB38C8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FBD848 | 0_2_06FBD848 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FBD838 | 0_2_06FBD838 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB09B0 | 0_2_06FB09B0 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_06FB09A0 | 0_2_06FB09A0 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0ADD74B8 | 0_2_0ADD74B8 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0ADD0040 | 0_2_0ADD0040 |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Code function: 0_2_0ADD86E0 | 0_2_0ADD86E0 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0267C364 | 25_2_0267C364 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0267E720 | 25_2_0267E720 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0267E730 | 25_2_0267E730 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0A5D74B8 | 25_2_0A5D74B8 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0A5D0040 | 25_2_0A5D0040 |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0A5D001E | 25_2_0A5D001E |
Source: C:\Users\user\AppData\Roaming\.exe | Code function: 25_2_0A5D86E0 | 25_2_0A5D86E0 |
Source: unknown | Process created: C:\Users\user\Desktop\BfwPdttqxH.exe "C:\Users\user\Desktop\BfwPdttqxH.exe" | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe | |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp | |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat"" | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe" | |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe | |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp | |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe | |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe | Jump to behavior |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe | Jump to behavior |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe | Jump to behavior |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit | Jump to behavior |
Source: C:\Users\user\Desktop\BfwPdttqxH.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat"" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe" | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\.exe | Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe | Jump to behavior |