Click to jump to signature section
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Network traffic | Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49710 -> 193.142.146.203:2405 |
Source: Network traffic | Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49716 -> 193.142.146.203:2405 |
Source: Network traffic | Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49715 -> 193.142.146.203:2405 |
Source: Network traffic | Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49713 -> 193.142.146.203:2405 |
Source: Network traffic | Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49714 -> 193.142.146.203:2405 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: unknown | TCP traffic detected without corresponding DNS query: 193.142.146.203 |
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744 |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding |
Source: unknown | Process created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1596 |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: apphelp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: wininet.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: version.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: msimg32.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: oledlg.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: k7rn7l32.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: ntd3ll.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: windows.storage.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: wldp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: winmm.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: urlmon.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: wininet.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: iertutil.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: srvcli.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: netutils.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: iphlpapi.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: rstrtmgr.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: ncrypt.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: ntasn1.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: sspicli.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: mswsock.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: cryptsp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: rsaenh.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: cryptbase.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: windows.storage.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: wldp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: profapi.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: kernel.appcore.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: ondemandconnroutehelper.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: winhttp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: winnsi.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: dnsapi.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: rasadhlp.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: fwpuclnt.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: uxtheme.dll |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Section loaded: windowscodecs.dll |
Source: C:\Windows\SysWOW64\reg.exe | Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco |
Source: C:\Windows\SysWOW64\reg.exe | Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe TID: 816 | Thread sleep time: -186000s >= -30000s |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe TID: 816 | Thread sleep time: -29364000s >= -30000s |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe | Process created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f |
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |