{"Payload URL": "http://implantecapilarpereira.com/NetGen"}
{"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}
Source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp | Malware Configuration Extractor: Remcos {"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"} |
Source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"} |
Source: 21.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 16.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 19.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 16.2.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 17.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 18.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 2.0.mU9H96igb3.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 9.0.mU9H96igb3.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 15.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: 20.0.Dlls.exe.400000.0.unpack | Avira: Label: TR/AD.Nekark.fexqx |
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin |
Source: Dlls.exe, 00000014.00000002.139080944862.00000000007B4000.00000004.00000020.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR |
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei |
Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn |
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint |
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp | String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF4B8B |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C0474A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF087E |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF557A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE4AA2 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C01BCE |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF6BF6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C0130A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BFECDD |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF00C6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BFE400 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF7574 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0058474A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057557A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00574B8B |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057087E |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057E400 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057ECDD |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_005700C6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_005800B4 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00564AA2 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00577574 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0058130A |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00581BCE |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00576BF6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C24B8B |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C3474A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2087E |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2557A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C14AA2 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C31BCE |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C26BF6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C3130A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C200C6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2ECDD |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2E400 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C27574 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6087E |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F64B8B |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6557A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F7474A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6ECDD |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F600C6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F54AA2 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6E400 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F66BF6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F71BCE |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F67574 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F7130A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235087E |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235557A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0236474A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02354B8B |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235E400 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02344AA2 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235ECDD |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_023500C6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0236130A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02357574 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02356BF6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02361BCE |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0058474A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057557A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00574B8B |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057087E |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057E400 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057ECDD |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_005700C6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_005800B4 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00564AA2 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00577574 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0058130A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00581BCE |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00576BF6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0058474A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057557A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00574B8B |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057087E |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057E400 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057ECDD |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_005700C6 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_005800B4 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00564AA2 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00577574 |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0058130A |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00581BCE |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00576BF6 |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C0474A NtSetInformationThread, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C04084 NtProtectVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF087E NtWriteVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF557A NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C0130A NtWriteVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF7574 NtWriteVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00586E0F NtProtectVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00584084 NtProtectVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00566970 NtProtectVirtualMemory, |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057557A NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C3474A NtSetContextThread, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C34084 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2087E NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2557A NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C3130A NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C27574 NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F74084 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6087E NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6557A NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F7474A NtSetInformationThread, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F67574 NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F7130A NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235087E NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02364084 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235557A NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0236474A NtResumeThread, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0236130A NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02357574 NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_0058727E Sleep,NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_00586E0F NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_00586CD1 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_00586E17 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_005873EB NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_00586CCC NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 19_2_005870C5 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00586E0F NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00584084 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00566970 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057557A NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00586E0F NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00584084 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00566970 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057557A NtAllocateVirtualMemory, |
Source: unknown | Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe' |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' |
Source: C:\Windows\SysWOW64\wscript.exe | Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0041A474 push ebp; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0040E9CB push ecx; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_004191F0 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_004131A3 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_004086CE push eax; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_00411ACE push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_004132DE push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0041729D push edx; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0040DAAA push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0040E6B3 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_00417AB9 push eax; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_0040A750 push ss; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_00411B06 push ecx; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_00407B81 push esi; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE267D push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C04084 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE2A10 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE1611 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE67BC push es; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF6BF6 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE1327 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BE1366 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0056267D push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00584084 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00562A10 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00561611 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00561366 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00561327 push esi; iretd |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00576BF6 push FFFFFF94h; retf |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_005667BC push es; ret |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_0041A474 push ebp; ret |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | File opened: C:\Program Files\qga\qga.exe |
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp | Binary or memory string: TROGRAM FILES\QEMU-GA\QEMU-GA.EXET |
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BINHTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BIN |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp | Binary or memory string: trogram Files\Qemu-ga\qemu-ga.exet |
Source: Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWw4 |
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: vmicshutdown |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
Source: mU9H96igb3.exe, 00000009.00000002.137983452106.00000000009A5000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW(< |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: vmicvss |
Source: mU9H96igb3.exe, 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW |
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin |
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
Source: Dlls.exe, 00000014.00000002.139081030100.00000000007C5000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW :WA |
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp | Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BF46A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02C01BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BFC054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 2_2_02BFE990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_005746A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_00581BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\mU9H96igb3.exe | Code function: 9_2_0057E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C246A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C31BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 15_2_02C2E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F646A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F71BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 17_2_04F6E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_023546A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_0235E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 18_2_02361BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_005746A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_00581BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 20_2_0057E990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057C054 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_005746A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_00581BCE mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe | Code function: 21_2_0057E990 mov eax, dword ptr fs:[00000030h] |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program ManagerCJBCA\D |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program Manager# |
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program ManagerCJB |
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program ManagerCJBCA\ |
Source: Dlls.exe, 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp | Binary or memory string: [ Program Manager ] |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program Managerr| |
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program Manager2 |
Source: Dlls.exe, 00000013.00000002.142216216346.00000000008D9000.00000004.00000020.sdmp | Binary or memory string: |Program Manager| |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program Manager~ |
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp | Binary or memory string: Program Manager| |