Click to jump to signature section
Source: http://gstatic-node.io/c2confLh | Avira URL Cloud: Label: malware |
Source: http://gstatic-node.io/ | Avira URL Cloud: Label: malware |
Source: http://gstatic-node.io/f | Avira URL Cloud: Label: malware |
Source: http://gstatic-node.io/c2conf | Avira URL Cloud: Label: malware |
Source: | Binary string: RuDl.pdb source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp, FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp |
Source: | Binary string: vcruntime140_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp |
Source: | Binary string: vertigorpgraptor.pdb source: FT0uDS8neB.exe |
Source: | Binary string: mscorlib.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: ucrtbase_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp |
Source: | Binary string: mscorlib.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS.TH source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: System.Core.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: | Binary string: vcruntime140_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp |
Source: | Binary string: System.Core.ni.pdbRSDS"f4v9 source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: | Binary string: ucrtbase_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp |
Source: | Binary string: System.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: System.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: System.Core.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004493C8 FindFirstFileExW, | 1_2_004493C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0044947C FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 1_2_0044947C |
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gstatic-node.io/ |
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gstatic-node.io/c2conf |
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gstatic-node.io/c2confLh |
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://gstatic-node.io/f |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005 |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200 |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/ |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20 |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/ |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o |
Source: Amcache.hve.3.dr | String found in binary or memory: http://upx.sf.net |
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000126E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/5xx-error-landing |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042D2D9 GetProcAddress,InternetReadFile,GetModuleHandleW,InternetQueryDataAvailable,LdrInitializeThunk,_strlen,HttpSendRequestA,InternetQueryDataAvailable,GetProcAddress,HttpOpenRequestW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCloseHandle,GetProcAddress,GetProcAddress,InternetOpenW,InternetConnectA, | 1_2_0042D2D9 |
Source: FT0uDS8neB.exe, type: SAMPLE | Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen |
Source: 0.0.FT0uDS8neB.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen |
Source: FT0uDS8neB.exe, type: SAMPLE | Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor |
Source: 0.0.FT0uDS8neB.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_031651F8 | 0_2_031651F8 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_03165703 | 0_2_03165703 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_0316A970 | 0_2_0316A970 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_0316A980 | 0_2_0316A980 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_03168880 | 0_2_03168880 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05A375B8 | 0_2_05A375B8 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05B70006 | 0_2_05B70006 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05B70040 | 0_2_05B70040 |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_03160DE7 | 0_2_03160DE7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00407AC0 | 1_2_00407AC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042D2D9 | 1_2_0042D2D9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00404845 | 1_2_00404845 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0043804F | 1_2_0043804F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040E850 | 1_2_0040E850 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00426021 | 1_2_00426021 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00410822 | 1_2_00410822 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00411942 | 1_2_00411942 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00418173 | 1_2_00418173 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00432170 | 1_2_00432170 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00435934 | 1_2_00435934 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042F9D1 | 1_2_0042F9D1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040F1E1 | 1_2_0040F1E1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004131B2 | 1_2_004131B2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00414205 | 1_2_00414205 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041FA10 | 1_2_0041FA10 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00440210 | 1_2_00440210 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040F218 | 1_2_0040F218 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00430A18 | 1_2_00430A18 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041722C | 1_2_0041722C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00408ACA | 1_2_00408ACA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041DAD0 | 1_2_0041DAD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00403AFB | 1_2_00403AFB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040AAFD | 1_2_0040AAFD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00426ABC | 1_2_00426ABC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00415361 | 1_2_00415361 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00440B6B | 1_2_00440B6B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00414B7C | 1_2_00414B7C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040C31C | 1_2_0040C31C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00416463 | 1_2_00416463 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041D464 | 1_2_0041D464 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00438C13 | 1_2_00438C13 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004294BC | 1_2_004294BC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042C500 | 1_2_0042C500 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041C5CA | 1_2_0041C5CA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004545EA | 1_2_004545EA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041A5F7 | 1_2_0041A5F7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004365F4 | 1_2_004365F4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0040CD87 | 1_2_0040CD87 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041E6DB | 1_2_0041E6DB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00410E8E | 1_2_00410E8E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042EF43 | 1_2_0042EF43 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00446704 | 1_2_00446704 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00409F24 | 1_2_00409F24 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00427FC3 | 1_2_00427FC3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0044EFC0 | 1_2_0044EFC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004287EC | 1_2_004287EC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0041379F | 1_2_0041379F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: String function: 0042EEA4 appears 34 times | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: String function: 00431A30 appears 51 times | |
Source: FT0uDS8neB.exe, 00000000.00000002.246368924.00000000015BB000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameRuDl.dll* vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: OriginalFilenameSystem.dllT vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: LegalCopyright!OriginalFilename vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: get_OriginalFilename vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: originalFilename vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp | Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070066000.00000020.00000001.01000000.00000008.sdmp | Binary or memory string: OriginalFilenameSystem.Core.dllT vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.270616677.00000000739B1000.00000002.00000001.01000000.00000004.sdmp | Binary or memory string: OriginalFilenamevcruntime140_clr0400.dll^ vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameRuDl.dll* vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.270461768.00000000729F5000.00000002.00000001.01000000.00000005.sdmp | Binary or memory string: OriginalFilenameucrtbase_clr0400.dll^ vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclrjit.dllT vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000000.241332087.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamevertigorpgraptor.exeB vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp | Binary or memory string: OriginalFilenamemscorlib.dllT vs FT0uDS8neB.exe |
Source: FT0uDS8neB.exe | Binary or memory string: OriginalFilenamevertigorpgraptor.exeB vs FT0uDS8neB.exe |
Source: unknown | Process created: C:\Users\user\Desktop\FT0uDS8neB.exe C:\Users\user\Desktop\FT0uDS8neB.exe | |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012 | |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: | Binary string: RuDl.pdb source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp, FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp |
Source: | Binary string: vcruntime140_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp |
Source: | Binary string: vertigorpgraptor.pdb source: FT0uDS8neB.exe |
Source: | Binary string: mscorlib.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: ucrtbase_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp |
Source: | Binary string: mscorlib.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS.TH source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp |
Source: | Binary string: System.Core.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: | Binary string: vcruntime140_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp |
Source: | Binary string: System.Core.ni.pdbRSDS"f4v9 source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: | Binary string: ucrtbase_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp |
Source: | Binary string: System.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: System.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp |
Source: | Binary string: System.Core.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05A31799 push ebx; iretd | 0_2_05A3179A |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05B75775 push B8FFFFC3h; ret | 0_2_05B7577C |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Code function: 0_2_05B74B7D push eax; iretd | 0_2_05B74B84 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0045893D push esi; ret | 1_2_00458946 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004019C7 push eax; mov dword ptr [esp], 00000000h | 1_2_004019CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00449C28 push ecx; ret | 1_2_00449C3B |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004493C8 FindFirstFileExW, | 1_2_004493C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0044947C FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 1_2_0044947C |
Source: Amcache.hve.3.dr | Binary or memory string: VMware |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af |
Source: Amcache.hve.3.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc.me |
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW, |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: RegSvcs.exe, 00000001.00000002.253094942.00000000011F8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW(a$ |
Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00427ACE GetProcessHeap,CreateCompatibleDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,DeleteObject, | 1_2_00427ACE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004303CD mov eax, dword ptr fs:[00000030h] | 1_2_004303CD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0043B51A mov ecx, dword ptr fs:[00000030h] | 1_2_0043B51A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00446FD5 mov eax, dword ptr fs:[00000030h] | 1_2_00446FD5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_0042D2D9 GetProcAddress,InternetReadFile,GetModuleHandleW,InternetQueryDataAvailable,LdrInitializeThunk,_strlen,HttpSendRequestA,InternetQueryDataAvailable,GetProcAddress,HttpOpenRequestW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCloseHandle,GetProcAddress,GetProcAddress,InternetOpenW,InternetConnectA, | 1_2_0042D2D9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00431849 SetUnhandledExceptionFilter, | 1_2_00431849 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00431855 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_00431855 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_00431D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_00431D60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 1_2_004457FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_004457FB |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 455000 | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 460000 | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 462000 | Jump to behavior |
Source: C:\Users\user\Desktop\FT0uDS8neB.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D2C008 | Jump to behavior |