Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, |
10_2_111273E0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, |
10_2_1102D9F4 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, |
10_2_1102DD21 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, |
10_2_1110BD70 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, |
10_2_110663B0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, |
10_2_1106ABD0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr |
String found in binary or memory: http://%s/fakeurl.htm |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr |
String found in binary or memory: http://%s/testpage.htm |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, HTCTL32.DLL.8.dr |
String found in binary or memory: http://%s/testpage.htmwininet.dll |
Source: client32.exe, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://127.0.0.1 |
Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://127.0.0.1RESUMEPRINTING |
Source: wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.mic |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: client32.exe, 0000000A.00000003.1821012459.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1827697976.00000000059EF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp |
Source: client32.exe, 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s) |
Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspwe |
Source: client32.exe, 0000000A.00000003.1532975213.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1527325191.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1524166542.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1821012459.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1540191948.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspws |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01667000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ggoryo.com |
Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://s2.symcb.com0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://sv.symcb.com/sv.crt |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://sv.symcd.com0& |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp |
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, client32.exe.8.dr |
String found in binary or memory: http://www.netsupportsoftware.com |
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.pci.co.uk/support |
Source: client32.exe, 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.pci.co.uk/supportsupport |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00BE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00BF8000.00000004.00000800.00020000.00000000.sdmp, remcmdstub.exe.8.dr, PCICHEK.DLL.8.dr, pcicapi.dll.8.dr, HTCTL32.DLL.8.dr, TCCTL32.DLL.8.dr, PCICL32.DLL.8.dr |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggorxo.com/ |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C0139F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C00229000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com |
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1346975876.000001FC5729F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/ |
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/0X |
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57274000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/s |
Source: wscript.exe, 00000000.00000003.1487288378.000001FC55788000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/trade/da |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00001000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/trade/da.php?9800 |
Source: wscript.exe, 00000000.00000003.1369359764.000001FC5575A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1389692516.000001FC555C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244089717.000001FC54A57000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/trade/fix.php?6867 |
Source: wscript.exe, 00000000.00000003.1347982626.000001FC4FC26000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ggoryo.com/trade/fix.php?6867EF |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C018BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: wscript.exe, 00000000.00000003.1366341815.000001FC53AFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1243375949.000001FC518D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js |
String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C00F61000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.1738259741.0000026C1006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1567156116.0000026C01A34000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000008.00000002.1567156116.0000026C016AF000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js |
String found in binary or memory: https://www-googleapis-staging.sandbox.google.com |
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355050587.000001FC57D4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js |
String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html |
Source: wscript.exe, 00000000.00000003.1253318916.000001FC539D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlX |
Source: wscript.exe, 00000000.00000003.1416060813.000001FC5443D000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.htmlXVNT |
Source: wscript.exe, 00000000.00000003.1235146786.000001FC52487000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255625344.000001FC51AFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1234062822.000001FC52877000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236345430.000001FC53047000.00000004.00000020.00020000.00000000.sdmp, Update.js |
String found in binary or memory: https://www.googleapis.com |
Source: wscript.exe, 00000000.00000003.1388374479.000001FC55692000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googleapis.comp |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: pcicl32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: pcichek.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: pcicapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: msvcr100.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: msvcr100.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: dbgcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: nsmtrace.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: nslsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: pcihooks.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: riched32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: pciinv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: firewallapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: fwbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: fwpolicyiomgr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary, |
10_2_11139ED0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, |
10_2_110C1020 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11113380 IsIconic,GetTickCount, |
10_2_11113380 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, |
10_2_110CB750 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, |
10_2_110CB750 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, |
10_2_111236E0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, |
10_2_111236E0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, |
10_2_11025A90 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, |
10_2_1115BAE0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, |
10_2_1115BAE0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, |
10_2_11113FA0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId, |
10_2_11025EE0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, |
10_2_1115BEE0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, |
10_2_110241A0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, |
10_2_11024880 |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, |
10_2_111273E0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, |
10_2_1102D9F4 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, |
10_2_1102DD21 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, |
10_2_1110BD70 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, |
10_2_110663B0 |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Code function: 10_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, |
10_2_1106ABD0 |
Source: HTCTL32.DLL.8.dr |
Binary or memory string: VMware |
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: PDuBqHlSjfaVBDljTqJqWwFvbyyYxZZCDHswZoXzfiRzqceWjecZmjqgnptSIHaqnCXIzYoKTXqRGLtxllycZdMCKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBS |
Source: HTCTL32.DLL.8.dr |
Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) - |
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CKnMRTfTfsAZHjDGmKpuzSQIiYPHJSPpQYsWysXIPUVifMnfPvGLyMfTgshOjQCIanDeTRUsMkGWyAGJtvEpjqczQOLxKFRBNnXTsOrAofFlTAQWFWJjkyYNSfcoNAptziWrqsxamtFHcFWLWFhutsZHMlpqciouqTJteqqmnxengSfwNrqjvRvnwyeeLliSvcaXJOVmMGYkALPiTFVBHCkjuKbGJlgbZuyCFqdVkRgDViFOGJhYlwKygomLINmgRDtlKaRTEEFxNZOCYJTAMdPOhzpcyQLLROPndlsbXpzXZwgxnFcMKoLMeCfAxujbcQuPyByLRZVbJJzvSwkMuKOevWjDDBlOfBNYOEzyLriAaLxupslqNYsqSRZvguXeuootrrbMgOaiEcMnERuqauhkUjnHPdhelIcJwLkYTwWWEHMYzbaTQrqIfvjkNqjwPeYvWDKWcrouaVhIPTDlzatNyKyhHPUUHHsVEvcYafrsrMaWzSGxyhIXlYPvsfCwskecJgoGXDfXjCxcdrgaWlxkEQQAfibyEgRJGXEAWEiPveLpJKfyzltKBsyWxKjbGHHRDDkIsBhYIZQKWbyZJwZqnOCcPqNlYPklUPYBLauMligHZpgSttJHkqZqDNuRdOgJFyicaZyrACqijTHDVNXCQqQzPYFjyCFlLEAaUZYOtQBYvFAqsSTmSYnkfkzgMWqFUZXoTRBFzpWwpvyjhiQhgpOuxfCWxzafCNaAfhsuoWCTnrrAKAAskRsYFWGHiZjhRyKgkFABzDYIkkIFPZbJtlIQSoMSqbJWZnWFNRRsnmgRbxSpTdmqYBmqMxUddsaOcyREuoCdPKkrXyRuUtkIsIxgetNUvGkSIDOiaMNbeWMOrNvayRYaIdtBLdKOGyiDSEZlGzHhPxOKVdExlQqlpoZsFWqhPwFqesgPEINDsGcMTXODNTkZtIAQUvNrkkbiixVaFZQLGVGJeMKeDPpsvvSbMwSFQmkqjvDbByOuPaeVDFERfpAJCRSJJzchlkIfWgXnHDIRKHCsiVSmGEgNhVkIPqUrlZIBuwBZXGiTIOxIFaYhgsWsLyfOfPBjfXJhIlnMvckylHikUfURHflPjXOGGMLzlOWEcCXDwkBIZkBOTdqTshrNFfvsnifppkahlOkpGpHvvttjjiQJeSSXVMhMdLTdubCpXtyJFGIHwswLEXSGvvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMS |
Source: TCCTL32.DLL.8.dr |
Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s |
Source: client32.exe, 0000000A.00000003.1539891812.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.0000000005997000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523977080.0000000005992000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526874385.0000000005990000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWen-GBnD |
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOofS |
Source: wscript.exe, 00000000.00000003.1346975876.000001FC57262000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1830086610.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1526350208.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1536730787.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1539453940.00000000059A8000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.1523563518.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000002.2491283544.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: HTCTL32.DLL.8.dr |
Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla |
Source: TCCTL32.DLL.8.dr |
Binary or memory string: VMWare |
Source: wscript.exe, 00000000.00000003.1356978287.000001FC57DCF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: xOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwqQlqscfvhvLKUmoCJTUjavgmbKBLMFpvEFsrJtdVVvtcmuwHTEMvBDXgipznDWsaHTvtYDQcOof |
Source: wscript.exe, 00000000.00000003.1348423839.000001FC57BD1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfwS |
Source: wscript.exe, 00000000.00000003.1356978287.000001FC57E51000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vvnfgZFOzESEePpLVEdahceGxirGantREzNXYLrxQxvvDNFCAzzDVEHTdSuWIHAKTMbpyuAPqpoxOIRGTKJZHxVIiMorMCzWfwegjeUDIvuDbfNSqvdLFyCxVKsjmNaPsVTxbhvBPxqCLDTJsiuLfNtRlsEiWdRjCclGFyPaDuNqLGDuMWUXmDvseghDVZxfzgawcDJNCqIBCpzhYriTwASvvCEIJQVNAXlPORcVxtTkZHwcDReEluWtHbBxbayANwMXrkEVwEUDTuvDGiWtPkxpFleOjiyjWDEpoICeZomWLvPaOGVHdzfwObZPtbkANeyqPUndSEotGFOsZNWqtDAUZJDHSVCcbXkMOFXCdRSKDoXyUpLhHsxhLZFMexaYIbDdGidpCQUbXEFIANKIPzlCHCNRrSlKOoBciNvBaCiKolfbzaiPlhChNmHsnkgfefeECaAQjaVPsZYzYIUkIZuOjphCfVIGDcwfazQByQJfBaPjLGEAVdxWEVoJiAuXmbIvLRrdpYGvSjgrSSKrTqYWJhlBhGCeJgTesAPUWyOLwDqepbFeZUOrfNiUuvEZyOamtngXLlNXwNOTLoPWBGWCmhDqtapCuAdwVlzZGIECrrCDtFsBEsTDUiGxBRrTOOdDTKOJiPvuLlEcvYavDYOwsSvWgwPldeeGtELvCLVFEtzkidfPutHWbUJhQcNgAohGFsSOdHlwBJWKOgGoSEQxoHXxMEmceyunawzTXuATqyKuBdqDhHxCehwyGFamkLwZALsxTYagUJFlrjPBwFFZGyMGSheMNRFpkaWDMVaGRwxDfvJzZkpQwcaFwCHnnAlfkjNMWcelVOGSgvLMxodYHRWHufGAojPDealwEKZluyLGeflVXfYskNMdfFiJPGjTcvbVAMzBzGorDpEYaIadRmIBCdnczPiPTCQHyhRRtfruEFVlrUTseQPkMZhTsQYTtiOFHtJNpeylFhkzfoNqBRAvSkElYlwlGFIuNMPXicjOgmWzhLvoWqXxofrbtodxIOBvtoAZyigpHtzVOyHAQweogiowYzmgLheppgcgDXJYhptekwwyHrTMWvblqiDSXdUXXnFAtilfpuykHeddZNHFBqScsyMixLFUTDBrIYSkUAtMXQXlqNohLyzfnGBIuHOlfArCmnNcnoXVahHBezDoOjBCjlpBXHwIMRIzEjZMGYPhZORYagLjxZcCRFlwaCNAvwEZfevKOiOAzkMXyAbfocEEEwextPTpCGjMmMqMtSbVvuNlmVuByLVByHCATlRgizBZViWjARkfWMKRGBWYQSiisCnNbNVpVMDXLXDtbMdXCspTdXhvvZuJzjgfcJdDvVEgsSrAhZaErRyqMouKXWmlyZIYSHkGWMfNIXQRUGNfIZgbVgQJbAiIzLJDeClIZZGgQqvgMwxpjUMmCDHiloYlMSvAUHTvaARlothFoReDneuWyhUFsuLJPnDgtXLVFyWvvMdUyyowpknwcjGyfhzhUWTmWuHtdzVlNhQgZqNfMCDiHXrcYndLhUQDrdWvIqffaANUXBivhUGcNyGVevxEBZSxGTyQXUrTiByIBMIZmkDOVGrLOULRtwiuLdTzLTFnXLNtlnLwFctLTHbxKQtFUoLZPSgJvxtAnUpTdAddPdRhplnfuZeqiHsAwvEyVIMTMBJeJqyiYlpogvRpJmSvrcfhqfyJYkrnIySCFhFHriGcoKvQYrIAmrjseiogmjMQKNKqGlKtmxiZvVPgcEbXmdCEeATesgaLusembdMkUaxFAlndqTTKrEYVLJndqkuREwsdouqLmiFQyzRvvrYVlepCTDtAqaBVqbVcRNsAVBgAwhFQnHZtwOutGgrjglykXnobrlMpBxhXmxGZcUtxcpZALkGEYtkVjBroCZIFRLHDawgjRtfCEAiUrBwKKvmJEUDCfrroaNSFluJwkKBdMFTOCWHuuAdiBdREkKSRYiKEueiYxVgWMtJDrDXPcYBMmLqQMDKSLLKqWPTVxFGneAYLaVsYJnRvaVYBBFDQilsHvQfw |
Source: powershell.exe, 00000008.00000002.1840183751.0000026C752E5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: powershell.exe, 00000008.00000002.1840183751.0000026C751C3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 10.2.client32.exe.747f0000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.0.client32.exe.440000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.client32.exe.73a80000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.client32.exe.111b8c68.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.client32.exe.6ca80000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.powershell.exe.26c00bcaaf0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.powershell.exe.26c00bc08a0.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.powershell.exe.26c00ba9ff8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 10.2.client32.exe.11000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0000000A.00000002.2489223815.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2505080118.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1567156116.0000026C00BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1567156116.0000026C00CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2521599534.00000000111E2000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2519676466.0000000011194000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000002.2532853143.000000006CAC0000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1567156116.0000026C00BBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000A.00000000.1514998417.0000000000442000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1567156116.0000026C00B9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1567156116.0000026C0059F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 6704, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: client32.exe PID: 4108, type: MEMORYSTR |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\client32.exe, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICHEK.DLL, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\pcicapi.dll, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\TCCTL32.DLL, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\HTCTL32.DLL, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\EQMIUFUUUCW3\PCICL32.DLL, type: DROPPED |