Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
1_2_009EA2DF |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
1_2_009FAFB9 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A09FD3 FindFirstFileExA, |
1_2_00A09FD3 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, |
2_2_00AC399B |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, |
10_2_00AC399B |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, |
10_2_00AE2408 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00AD280D |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
10_2_00B08877 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose, |
10_2_00AECAE7 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00AC1A73 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, |
10_2_00ADBCB3 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AEDE7C FindFirstFileW,FindClose, |
10_2_00AEDE7C |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00ADBF17 |
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp |
String found in binary or memory: http://bot.whatismyipaddress.com/ |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://crl.globalsign.net/Root.crl0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://crl.globalsign.net/primobject.crl0N |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://crl.globalsign.net/root.crl0 |
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp |
String found in binary or memory: http://pomf.cat/upload.php |
Source: urdavsa.pif, 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp |
String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/ |
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp |
String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition: |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://www.autoitscript.com/autoit3/0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://www.globalsign.net/repository/0 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://www.globalsign.net/repository/03 |
Source: urdavsa.pif.1.dr |
String found in binary or memory: http://www.globalsign.net/repository09 |
Source: RegSvcs.exe, 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: RegSvcs.exe, 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp |
String found in binary or memory: https://a.pomf.cat/ |
Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: HawkEye v9 Payload Author: ditekshen |
Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR |
Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009E83C0 |
1_2_009E83C0 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A0C0B0 |
1_2_00A0C0B0 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009E30FC |
1_2_009E30FC |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A00113 |
1_2_00A00113 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F626D |
1_2_009F626D |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F33D3 |
1_2_009F33D3 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FF3CA |
1_2_009FF3CA |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EF5C5 |
1_2_009EF5C5 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EE510 |
1_2_009EE510 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A00548 |
1_2_00A00548 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A0C55E |
1_2_00A0C55E |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009E2692 |
1_2_009E2692 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F66A2 |
1_2_009F66A2 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F364E |
1_2_009F364E |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A10654 |
1_2_00A10654 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F589E |
1_2_009F589E |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FF8C6 |
1_2_009FF8C6 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F397F |
1_2_009F397F |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EE973 |
1_2_009EE973 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EDADD |
1_2_009EDADD |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EBAD1 |
1_2_009EBAD1 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A03CBA |
1_2_00A03CBA |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FFCDE |
1_2_009FFCDE |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009F6CDB |
1_2_009F6CDB |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009E5D7E |
1_2_009E5D7E |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009E3EAD |
1_2_009E3EAD |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A03EE9 |
1_2_00A03EE9 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EDF12 |
1_2_009EDF12 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00A998F0 |
2_2_00A998F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00A935F0 |
2_2_00A935F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AB088F |
2_2_00AB088F |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AAC8CE |
2_2_00AAC8CE |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AAA137 |
2_2_00AAA137 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AA1903 |
2_2_00AA1903 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AB1F2C |
2_2_00AB1F2C |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AA3721 |
2_2_00AA3721 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00A9F730 |
2_2_00A9F730 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00A935F0 |
10_2_00A935F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00A998F0 |
10_2_00A998F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA2136 |
10_2_00AA2136 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AAA137 |
10_2_00AAA137 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AB427D |
10_2_00AB427D |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADF3A6 |
10_2_00ADF3A6 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00A998F0 |
10_2_00A998F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA2508 |
10_2_00AA2508 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AD655F |
10_2_00AD655F |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA3721 |
10_2_00AA3721 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00A9F730 |
10_2_00A9F730 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AB088F |
10_2_00AB088F |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA28F0 |
10_2_00AA28F0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AAC8CE |
10_2_00AAC8CE |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA1903 |
10_2_00AA1903 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADEAD5 |
10_2_00ADEAD5 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00B0EA2B |
10_2_00B0EA2B |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AB3BA1 |
10_2_00AB3BA1 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA1D98 |
10_2_00AA1D98 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AB0DE0 |
10_2_00AB0DE0 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AD2D2D |
10_2_00AD2D2D |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AD4EB7 |
10_2_00AD4EB7 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADCE8D |
10_2_00ADCE8D |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AB1F2C |
10_2_00AB1F2C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01709912 |
28_2_01709912 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01702068 |
28_2_01702068 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01700C48 |
28_2_01700C48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01706C28 |
28_2_01706C28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017004E8 |
28_2_017004E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017054B8 |
28_2_017054B8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703F68 |
28_2_01703F68 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01702ECD |
28_2_01702ECD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017029F8 |
28_2_017029F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017029E9 |
28_2_017029E9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017039D7 |
28_2_017039D7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703981 |
28_2_01703981 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01707870 |
28_2_01707870 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017048E0 |
28_2_017048E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017038E6 |
28_2_017038E6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017010E8 |
28_2_017010E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703B60 |
28_2_01703B60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703B1E |
28_2_01703B1E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703BF1 |
28_2_01703BF1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703BCE |
28_2_01703BCE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01700BA8 |
28_2_01700BA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703A77 |
28_2_01703A77 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703A02 |
28_2_01703A02 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703ADD |
28_2_01703ADD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703AAA |
28_2_01703AAA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01700562 |
28_2_01700562 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703567 |
28_2_01703567 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703568 |
28_2_01703568 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703D40 |
28_2_01703D40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_0170053B |
28_2_0170053B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01704528 |
28_2_01704528 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017005ED |
28_2_017005ED |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703DDD |
28_2_01703DDD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703DA0 |
28_2_01703DA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017005A6 |
28_2_017005A6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703C73 |
28_2_01703C73 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703C1D |
28_2_01703C1D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_0170540F |
28_2_0170540F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017004D8 |
28_2_017004D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_017054A8 |
28_2_017054A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_0170174D |
28_2_0170174D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01709F90 |
28_2_01709F90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01709F86 |
28_2_01709F86 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703E75 |
28_2_01703E75 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01708E38 |
28_2_01708E38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01708E28 |
28_2_01708E28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01706E10 |
28_2_01706E10 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 28_2_01703E1A |
28_2_01703E1A |
Source: 28.2.RegSvcs.exe.7da834a.4.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25 |
Source: 28.2.RegSvcs.exe.980000.0.unpack, type: UNPACKEDPE |
Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload |
Source: 28.3.RegSvcs.exe.4aedbda.2.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.3.RegSvcs.exe.4aedbda.2.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.2.RegSvcs.exe.7d50000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.3.RegSvcs.exe.4a95890.1.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.2.RegSvcs.exe.7d50000.3.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.2.RegSvcs.exe.7da834a.4.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.3.RegSvcs.exe.4a95890.1.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.3.RegSvcs.exe.4a95bd5.0.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 28.2.RegSvcs.exe.7d50345.2.raw.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 0000001C.00000002.584515573.0000000000982000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: 0000001C.00000002.586361746.0000000003234000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: 00000019.00000003.580526774.0000000004A10000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: 0000001C.00000002.589273699.0000000007D50000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: Process Memory Space: urdavsa.pif PID: 5552, type: MEMORYSTR |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: Process Memory Space: RegSvcs.exe PID: 4684, type: MEMORYSTR |
Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870 |
Source: unknown |
Process created: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe 'C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe' |
|
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
|
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
|
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
|
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
|
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
|
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\82139548\run.vbs' |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif 'C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif' rpgc.htg |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
|
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009EA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
1_2_009EA2DF |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
1_2_009FAFB9 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A09FD3 FindFirstFileExA, |
1_2_00A09FD3 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, |
2_2_00AC399B |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AC399B GetFileAttributesW,FindFirstFileW,FindClose, |
10_2_00AC399B |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AE2408 FindFirstFileW,Sleep,FindNextFileW,FindClose, |
10_2_00AE2408 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AD280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00AD280D |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00B08877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
10_2_00B08877 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AECAE7 FindFirstFileW,FindNextFileW,FindClose, |
10_2_00AECAE7 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AC1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
10_2_00AC1A73 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, |
10_2_00ADBCB3 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AEDE7C FindFirstFileW,FindClose, |
10_2_00AEDE7C |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00ADBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, |
10_2_00ADBF17 |
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp |
Binary or memory string: VBoxTray.exe@ |
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp |
Binary or memory string: VboxService.exe= |
Source: urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp |
Binary or memory string: If ProcessExists("VMwaretray.exe") Then} |
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: VMwareUser.exe5FB536C7 |
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp |
Binary or memory string: VboxService.exez |
Source: rpgc.htg.1.dr |
Binary or memory string: If ProcessExists("VMwaretray.exe") Then |
Source: rpgc.htg.1.dr |
Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then |
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp |
Binary or memory string: VMwareUser.exe6BA444D6 |
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If ProcessExists("VMwaretray.exe") Then |
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp |
Binary or memory string: VMwaretray.exer |
Source: urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp |
Binary or memory string: rocessExists("VboxService.exe") ThenM72 |
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: VMwareService.exe536C7jz |
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp |
Binary or memory string: VMwareService.exe,r |
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If ProcessExists("VboxService.exe") ThenM72 |
Source: rpgc.htg.1.dr |
Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then |
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp |
Binary or memory string: VMwareService.exe637D6 |
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: VMwaretray.exe |
Source: rpgc.htg.1.dr |
Binary or memory string: If ProcessExists("VboxService.exe") Then |
Source: urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: VboxService.exe:~ |
Source: urdavsa.pif, 00000015.00000003.519079213.0000000001C47000.00000004.00000001.sdmp |
Binary or memory string: Exists("VMwareUser.exe") Then |
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: VBoxTray.exe |
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then |
Source: urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenv |
Source: urdavsa.pif, 00000002.00000003.386488951.0000000000B6A000.00000004.00000001.sdmp |
Binary or memory string: VMwareUser.exeE97637D6 |
Source: urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp |
Binary or memory string: VMwareService.exeU |
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp |
Binary or memory string: VBoxTray.exeFs |
Source: urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp |
Binary or memory string: VboxService.exe |
Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If ProcessExists("VBoxTray.exe") Then |
Source: rpgc.htg.1.dr |
Binary or memory string: If ProcessExists("VBoxTray.exe") Then |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FE643 SetUnhandledExceptionFilter, |
1_2_009FE643 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_009FE4F5 |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_009FE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_009FE7FB |
Source: C:\Users\user\Desktop\E-Remittance Form_z.TXT.exe |
Code function: 1_2_00A07BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_00A07BE1 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00AAA128 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 2_2_00AA7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00AA7CCD |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AAF170 SetUnhandledExceptionFilter, |
10_2_00AAF170 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AAA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
10_2_00AAA128 |
Source: C:\Users\user\AppData\Local\Temp\82139548\urdavsa.pif |
Code function: 10_2_00AA7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
10_2_00AA7CCD |
Source: urdavsa.pif, 00000002.00000003.391144529.0000000000B88000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.457166893.00000000038D3000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.519040944.0000000001C63000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000002.587663014.00000000045C0000.00000004.00000001.sdmp |
Binary or memory string: Program Manager |
Source: urdavsa.pif.1.dr |
Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt - |
Source: urdavsa.pif, urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: urdavsa.pif, 00000002.00000003.386710610.0000000000B66000.00000004.00000001.sdmp, urdavsa.pif, 0000000A.00000003.399515071.00000000038A1000.00000004.00000001.sdmp, urdavsa.pif, 00000015.00000003.517916403.0000000001C45000.00000004.00000001.sdmp, urdavsa.pif, 00000019.00000003.526855030.00000000045C1000.00000004.00000001.sdmp |
Binary or memory string: If WinGetText("Program Manager") = "0" Then |
Source: rpgc.htg.1.dr |
Binary or memory string: If WinGetText("Program Manager") = "0" Then |
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: urdavsa.pif, 00000019.00000002.585558648.0000000002480000.00000002.00000001.sdmp, RegSvcs.exe, 0000001C.00000002.586038827.0000000001C10000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: urdavsa.pif, 00000002.00000002.391973257.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 0000000A.00000002.458737854.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000015.00000000.457959788.0000000000B12000.00000002.00020000.sdmp, urdavsa.pif, 00000019.00000002.585114275.0000000000B12000.00000002.00020000.sdmp |
Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt - |