Source: svchost.exe, 0000000D.00000002.3693187786.000002CE7C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3694275058.000002CE7CB02000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.13.dr | String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd |
Source: svchost.exe, 00000002.00000002.1426700791.0000026366213000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.bingmapsportal.comc |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/ |
Source: svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/ |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1401912422.000002636625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/ |
Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000002.00000003.1410254879.000002636625D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north= |
Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown |
Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects Tofsee Author: ditekSHen |
Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12 |
Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 0_2_00409A6B |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Code function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 20_2_00409A6B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 24_2_00459A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 24_2_00459A6B |
Source: unknown | Process created: C:\Users\user\Desktop\vyrcclmm.exe "C:\Users\user\Desktop\vyrcclmm.exe" | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\ | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\ | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support" | |
Source: C:\Windows\SysWOW64\sc.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection" | |
Source: C:\Windows\SysWOW64\sc.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bzycpcet | |
Source: C:\Windows\SysWOW64\sc.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe" | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul | |
Source: C:\Windows\SysWOW64\netsh.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time | |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe | |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager | |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable | |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\ | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\ | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support" | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection" | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bzycpcet | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Process created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: msimg32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: moshost.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mapsbtsvc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mosstorage.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: ztrace_maps.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mapconfiguration.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: aphostservice.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: networkhelper.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: userdataplatformhelperutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: umpdc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: syncutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mccspal.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: vaultcli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dmcfgutils.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: msvcp110_win.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dmcmnutils.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dmxmlhelputils.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: policymanager.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: xmllite.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: inproclogger.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: flightsettings.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: windows.networking.connectivity.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: npmproxy.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: msv1_0.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: ntlmshared.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cryptdll.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: synccontroller.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: pimstore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: aphostclient.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: accountaccessor.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dsclient.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: systemeventsbrokerclient.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: userdatalanguageutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mccsengineshared.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cemapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: userdatatypehelperutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: phoneutil.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: execmodelproxy.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: rmclient.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: storsvc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: devobj.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: fltlib.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: bcd.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wer.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: appxdeploymentclient.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: storageusage.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: usosvc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: umpdc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: updatepolicy.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: taskschd.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: upshared.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: usocoreps.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: usoapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: msimg32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: msvcr100.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: ifmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: mprapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rasmontr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: mfc42u.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: authfwcfg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: fwpolicyiomgr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: firewallapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: fwbase.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: dhcpcmonitor.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: dot3cfg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: dot3api.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: onex.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: eappcfg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: eappprxy.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: fwcfg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: hnetmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: netshell.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: netsetupapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: netiohlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: nshhttp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: httpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: nshipsec.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: activeds.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: polstore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: winipsec.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: adsldpc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: nshwfp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: p2pnetsh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: p2p.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rpcnsh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: whhelper.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wlancfg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wlanapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wshelper.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wevtapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: peerdistsh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wcmapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: rmclient.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: mobilenetworking.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: ktmw32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: mprmsg.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: w32time.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: logoncli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: umpdc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dsrole.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: vmictimeprovider.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: licensemanagersvc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: licensemanager.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: clipc.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: mpclient.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: wscapi.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\vyrcclmm.exe | Code function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 0_2_00409A6B |
Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe | Code function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 20_2_00409A6B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 24_2_00459A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, | 24_2_00459A6B |