Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp |
Source: | Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp |
Source: | Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp |
Source: | Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp |
Source: | Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r |
Source: powershell.exe, 00000008.00000002.622537318.0000000000C68000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.627265426.0000000003015000.00000004.00000020.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegSvcs.exe, 00000019.00000003.310958362.0000000005D2D000.00000004.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png02 |
Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: QuotationTXCtyres.exe, 00000000.00000003.265036261.0000000005532000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.635939796.0000000005081000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.632625439.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633056835.00000000042D1000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.636613586.0000000004B01000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.457364423.0000000002A01000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000006.00000002.640798276.00000000051BF000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.633303383.000000000440F000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html02 |
Source: RegSvcs.exe, 00000019.00000003.328420355.0000000005D5C000.00000004.00000001.sdmp | String found in binary or memory: http://www.ascendercorp.com/typedesigners.html |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers& |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: RegSvcs.exe, 00000019.00000003.342492866.0000000005D5E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlXE |
Source: RegSvcs.exe, 00000019.00000003.337399633.0000000005D5E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/tio |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: RegSvcs.exe, 00000019.00000003.339344837.0000000005D5E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersF |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: RegSvcs.exe, 00000019.00000003.339089886.0000000005D5E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersP |
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comai |
Source: RegSvcs.exe, 00000019.00000002.494111730.0000000005D20000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comiona |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: RegSvcs.exe, 00000019.00000003.316824024.0000000005D4E000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnK |
Source: RegSvcs.exe, 00000019.00000003.314645960.0000000005D50000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnh |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: RegSvcs.exe, 00000019.00000003.361142409.0000000005D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/1 |
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/G |
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/U |
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/ |
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/Z |
Source: RegSvcs.exe, 00000019.00000003.323242734.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ |
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U |
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s |
Source: RegSvcs.exe, 00000019.00000003.326313945.0000000005D2B000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/~ |
Source: powershell.exe, 00000009.00000003.535572028.0000000008B68000.00000004.00000001.sdmp | String found in binary or memory: http://www.microsoft.c |
Source: powershell.exe, 00000009.00000003.531136853.0000000008B2D000.00000004.00000001.sdmp | String found in binary or memory: http://www.microsoft.co |
Source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp | String found in binary or memory: http://www.nirsoft.net/ |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: RegSvcs.exe, 00000019.00000002.494884569.0000000005E10000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000C.00000002.641619712.0000000004C48000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000008.00000002.638932192.0000000004891000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester02 |
Source: powershell.exe, 00000008.00000003.533777599.00000000051B2000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000003.499602452.00000000055A2000.00000004.00000001.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000006.00000002.660256551.00000000060E5000.00000004.00000001.sdmp, powershell.exe, 00000008.00000002.657929211.00000000057B5000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.654327123.0000000005336000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.648318996.0000000005B68000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE | Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 0_2_00CC4A80 | 0_2_00CC4A80 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0357BB58 | 6_2_0357BB58 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0357F96B | 6_2_0357F96B |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0357F6F0 | 6_2_0357F6F0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0357DE88 | 6_2_0357DE88 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B40E8 | 6_2_035B40E8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B5D38 | 6_2_035B5D38 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B8528 | 6_2_035B8528 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B8528 | 6_2_035B8528 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B8528 | 6_2_035B8528 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B40E8 | 6_2_035B40E8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B8528 | 6_2_035B8528 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035B8528 | 6_2_035B8528 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035CD2D0 | 6_2_035CD2D0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035C0040 | 6_2_035C0040 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035CA50F | 6_2_035CA50F |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035F9180 | 6_2_035F9180 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FD660 | 6_2_035FD660 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FB578 | 6_2_035FB578 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FF5F0 | 6_2_035FF5F0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FBB00 | 6_2_035FBB00 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035F6358 | 6_2_035F6358 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035F6368 | 6_2_035F6368 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FB578 | 6_2_035FB578 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035FCA0C | 6_2_035FCA0C |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035F99B0 | 6_2_035F99B0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035F7DD0 | 6_2_035F7DD0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0361F838 | 6_2_0361F838 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0361B468 | 6_2_0361B468 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0361B478 | 6_2_0361B478 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035BE3DB | 6_2_035BE3DB |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_00B26A00 | 8_2_00B26A00 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_00B27E70 | 8_2_00B27E70 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044B84B8 | 8_2_044B84B8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044B0AA8 | 8_2_044B0AA8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044EF068 | 8_2_044EF068 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E8D48 | 8_2_044E8D48 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044EF068 | 8_2_044EF068 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044EA5B0 | 8_2_044EA5B0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044EA82B | 8_2_044EA82B |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E6A18 | 8_2_044E6A18 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_001C8710 | 9_2_001C8710 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_001C66F8 | 9_2_001C66F8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_001C7780 | 9_2_001C7780 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_001C29B0 | 9_2_001C29B0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006AF2C8 | 9_2_006AF2C8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006AA810 | 9_2_006AA810 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006AAA8B | 9_2_006AAA8B |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006A6C78 | 9_2_006A6C78 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006AF2C8 | 9_2_006AF2C8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006A8FA8 | 9_2_006A8FA8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_00C3C9B0 | 9_2_00C3C9B0 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_00C3EA10 | 9_2_00C3EA10 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_00C7E818 | 12_2_00C7E818 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_031FBD30 | 12_2_031FBD30 |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 20_2_01574A80 | 20_2_01574A80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028EB29C | 25_2_028EB29C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028EB1E4 | 25_2_028EB1E4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028EC310 | 25_2_028EC310 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028EB290 | 25_2_028EB290 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028E99D0 | 25_2_028E99D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_028EDFD0 | 25_2_028EDFD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_075EB4E0 | 25_2_075EB4E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_075EEEC8 | 25_2_075EEEC8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_075EBDB0 | 25_2_075EBDB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_075EB198 | 25_2_075EB198 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 25_2_075E0006 | 25_2_075E0006 |
Source: 00000019.00000002.452936886.0000000000D30000.00000004.00000001.sdmp, type: MEMORY | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000019.00000002.468178579.0000000002C68000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000019.00000002.453010740.0000000000D40000.00000004.00000001.sdmp, type: MEMORY | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000019.00000002.443066305.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 25.2.RegSvcs.exe.d40000.5.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 25.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 25.2.RegSvcs.exe.2c8e168.7.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.2c94dd4.8.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.d30000.4.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.2a2b7a8.6.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE | Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 25.2.RegSvcs.exe.408208.2.raw.unpack, type: UNPACKEDPE | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 25.2.RegSvcs.exe.45fa72.3.raw.unpack, type: UNPACKEDPE | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE | Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 25.2.RegSvcs.exe.409c0d.1.raw.unpack, type: UNPACKEDPE | Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: unknown | Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe' | |
Source: unknown | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | |
Source: unknown | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 | |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 | |
Source: unknown | Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe' | |
Source: unknown | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | |
Source: unknown | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | |
Source: unknown | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 2356 | |
Source: unknown | Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe' | |
Source: unknown | Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe' | |
Source: unknown | Process created: C:\Users\user\Desktop\QuotationTXCtyres.exe 'C:\Users\user\Desktop\QuotationTXCtyres.exe' | |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotationTXCtyres.exe' -Force | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\QuotationTXCtyres.exe' -Force | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: unknown unknown | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: unknown unknown | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: unknown unknown | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: unknown unknown | |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Process created: unknown unknown | |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbA source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\user\Desktop\QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: iVisualBasic.pdb source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdby source: RegSvcs.exe, 00000019.00000002.491465902.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RegSvcs.exe, 00000019.00000002.468996361.0000000002C8C000.00000004.00000001.sdmp |
Source: | Binary string: .pdb- source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbl source: powershell.exe, 00000006.00000003.567199772.000000000822B000.00000004.00000001.sdmp |
Source: | Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp |
Source: | Binary string: QuotationTXCtyres.PDB source: QuotationTXCtyres.exe, 00000000.00000002.628973345.0000000000AF9000.00000004.00000001.sdmp |
Source: | Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RegSvcs.exe, 00000019.00000002.469242818.0000000003A01000.00000004.00000001.sdmp |
Source: | Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbo source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: | Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbI source: RegSvcs.exe, 00000019.00000003.423112617.0000000005AAF000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 0_2_00CC8F48 push ds; iretd | 0_2_00CC8F4A |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 0_2_00CC8F40 push ds; iretd | 0_2_00CC8F42 |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 0_2_00CC8F11 push ds; iretd | 0_2_00CC8F12 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035757F8 push eax; mov dword ptr [esp], edx | 6_2_0357580C |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_03578E01 push eax; mov dword ptr [esp], ecx | 6_2_03578E54 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_03575CF8 push eax; mov dword ptr [esp], edx | 6_2_03575CFC |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_035C5AAF push es; ret | 6_2_035C5AC6 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_0361281A push ebx; ret | 6_2_0361287A |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_03613EB0 pushfd ; iretd | 6_2_03613EB9 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_00B21D20 pushfd ; ret | 8_2_00B21D21 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044B1F20 push es; ret | 8_2_044B1F30 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E0D68 push eax; mov dword ptr [esp], edx | 8_2_044E0D6C |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E3D00 push eax; mov dword ptr [esp], ecx | 8_2_044E3D14 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E05B2 push eax; mov dword ptr [esp], edx | 8_2_044E05C4 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 8_2_044E6A18 pushfd ; ret | 8_2_044E6D29 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_001B1ED8 push eax; mov dword ptr [esp], edx | 9_2_001B1EEC |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006A0A7F push eax; mov dword ptr [esp], edx | 9_2_006A0A84 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006A0E28 push eax; mov dword ptr [esp], edx | 9_2_006A0E2C |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 9_2_006A3F60 push eax; mov dword ptr [esp], ecx | 9_2_006A3F74 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_00C752C9 push esp; iretd | 12_2_00C752D1 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_00C72D68 push eax; mov dword ptr [esp], edx | 12_2_00C72D7C |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_00C7ED1F push edi; retf | 12_2_00C7ED2E |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Code function: 12_2_031F2D24 push FFFFFF8Bh; iretd | 12_2_031F2D26 |
Source: C:\Users\user\Desktop\QuotationTXCtyres.exe | Code function: 20_2_01572BB0 push eax; mov dword ptr [esp], ecx | 20_2_01572D29 |