Source: |
Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr |
Source: |
Binary string: wntdll.pdbUGP source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_004DDBBE |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004AC2A2 FindFirstFileExW, |
0_2_004AC2A2 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E68EE FindFirstFileW,FindClose, |
0_2_004E68EE |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, |
0_2_004E698F |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_004DD076 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_004DD3A9 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_004E9642 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_004E979D |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, |
0_2_004E9B2B |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose, |
0_2_004E5C97 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00509576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00509576 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD7F50 GetKeyState,GetKeyState,GetKeyState, |
2_2_06BD7F50 |
Source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0047BF40 |
0_2_0047BF40 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E2046 |
0_2_004E2046 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00478060 |
0_2_00478060 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004D8298 |
0_2_004D8298 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004AE4FF |
0_2_004AE4FF |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004A676B |
0_2_004A676B |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00504873 |
0_2_00504873 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0047CAF0 |
0_2_0047CAF0 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0049CAA0 |
0_2_0049CAA0 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0048CC39 |
0_2_0048CC39 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004A6DD9 |
0_2_004A6DD9 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0048B119 |
0_2_0048B119 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004791C0 |
0_2_004791C0 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00491394 |
0_2_00491394 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00491706 |
0_2_00491706 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0049781B |
0_2_0049781B |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0048997D |
0_2_0048997D |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00477920 |
0_2_00477920 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004919B0 |
0_2_004919B0 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00497A4A |
0_2_00497A4A |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00491C77 |
0_2_00491C77 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004C3CD2 |
0_2_004C3CD2 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00497CA7 |
0_2_00497CA7 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004FBE44 |
0_2_004FBE44 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004A9EEE |
0_2_004A9EEE |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00491F32 |
0_2_00491F32 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00B53660 |
0_2_00B53660 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00408C60 |
2_2_00408C60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040DC11 |
2_2_0040DC11 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00407C3F |
2_2_00407C3F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418CCC |
2_2_00418CCC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00406CA0 |
2_2_00406CA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004028B0 |
2_2_004028B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0041A4BE |
2_2_0041A4BE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418244 |
2_2_00418244 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00401650 |
2_2_00401650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402F20 |
2_2_00402F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004193C4 |
2_2_004193C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418788 |
2_2_00418788 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402F89 |
2_2_00402F89 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402B90 |
2_2_00402B90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004073A0 |
2_2_004073A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0317CE38 |
2_2_0317CE38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0317DA50 |
2_2_0317DA50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_03170FD0 |
2_2_03170FD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_031712D8 |
2_2_031712D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0317D180 |
2_2_0317D180 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_03171030 |
2_2_03171030 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A6C2A8 |
2_2_06A6C2A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A67BC0 |
2_2_06A67BC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A6B4F8 |
2_2_06A6B4F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A64878 |
2_2_06A64878 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A6D3B8 |
2_2_06A6D3B8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A6A4F5 |
2_2_06A6A4F5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A60007 |
2_2_06A60007 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A60040 |
2_2_06A60040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A912DC |
2_2_06A912DC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A932B0 |
2_2_06A932B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD9360 |
2_2_06BD9360 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD58A8 |
2_2_06BD58A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD10D0 |
2_2_06BD10D0 |
Source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, ZTFEpdjP8zw.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WnRNxU.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 2njIk.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, I5ElxL.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, QQSiOsa4hPS.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, FdHU4eb83Z7.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: |
Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr |
Source: |
Binary string: wntdll.pdbUGP source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00490A76 push ecx; ret |
0_2_00490A89 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0041C40C push cs; iretd |
2_2_0041C4E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00423149 push eax; ret |
2_2_00423179 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0041C50E push cs; iretd |
2_2_0041C4E2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004231C8 push eax; ret |
2_2_00423179 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040E21D push ecx; ret |
2_2_0040E230 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0041C6BE push ebx; ret |
2_2_0041C6BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_03174360 push edx; iretd |
2_2_03174363 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_03174392 push ds; iretd |
2_2_03174397 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A970C3 pushfd ; retf |
2_2_06A970C5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06A9B981 push es; ret |
2_2_06A9B990 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD36A1 push es; ret |
2_2_06BD36B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06BD31AC push es; retf |
2_2_06BD31B4 |
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0048F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_0048F98E |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00501C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_00501C41 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
2_2_004019F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2400000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399827 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399718 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399597 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399460 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399268 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399147 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398593 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398375 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397935 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397828 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397719 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397609 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397500 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397390 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397280 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397172 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397062 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2396952 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2396790 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395464 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395358 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395227 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395094 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394968 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394859 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394465 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393594 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393373 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2392937 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_004DDBBE |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004AC2A2 FindFirstFileExW, |
0_2_004AC2A2 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E68EE FindFirstFileW,FindClose, |
0_2_004E68EE |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, |
0_2_004E698F |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_004DD076 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_004DD3A9 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_004E9642 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_004E979D |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, |
0_2_004E9B2B |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose, |
0_2_004E5C97 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2400000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399827 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399718 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399597 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399460 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399268 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399147 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2399031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398593 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398375 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2398047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397935 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397828 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397719 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397609 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397500 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397390 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397280 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397172 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2397062 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2396952 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2396790 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395464 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395358 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395227 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2395094 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394968 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394859 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394465 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2394031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393594 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393373 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2393047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 2392937 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, |
2_2_004019F0 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004A2622 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_0049083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0049083F |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_004909D5 SetUnhandledExceptionFilter, |
0_2_004909D5 |
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe |
Code function: 0_2_00490C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00490C21 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_0040CE09 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_0040E61C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00416F6A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004123F1 SetUnhandledExceptionFilter, |
2_2_004123F1 |
Source: rPO50018137-14_pdf.exe |
Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq><b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}THjq |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program ManagerLReq |
Source: rPO50018137-14_pdf.exe |
Binary or memory string: Shell_TrayWnd |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq?<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}rTHjq |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq8<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}THjq |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq9<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}rTHjq |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003471000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Time: 06/23/2024 11:56:08<br>User Name: user<br>Computer Name: 019635<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}r |
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq3<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br> |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4516804311.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |