Source: Yara match |
File source: hesaphareketi-01.pdf.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1208684446.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1223494141.00007FF73434D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: unknown |
HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49714 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49715 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49724 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49725 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49728 version: TLS 1.2 |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b929ff59cb4Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc88931a5d0108Host: api.telegram.orgContent-Length: 66751Expect: 100-continue |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc90cd1e5e4e83Host: api.telegram.orgContent-Length: 66751Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9817b6b6812fHost: api.telegram.orgContent-Length: 70703Expect: 100-continue |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9a12c02f0750Host: api.telegram.orgContent-Length: 70703Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9c148a05a466Host: api.telegram.orgContent-Length: 66751Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc9ece9c66b2c0Host: api.telegram.orgContent-Length: 66751Expect: 100-continue |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dca51c7ada008aHost: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dca773f71df223Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcaba1a50f6e18Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcae7fd2a8c765Host: api.telegram.orgContent-Length: 67229Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcb1ecef588748Host: api.telegram.orgContent-Length: 67317Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcb6c88add5f77Host: api.telegram.orgContent-Length: 66754Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc4c57a67a1f1Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcc78492d93770Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dccb6d9b422ea1Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcce4615a1f8c7Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd0bba16aab02Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd5bf69ee82a1Host: api.telegram.orgContent-Length: 66989Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcd96a0224ce84Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdd588123294fHost: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST /bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7b9c07669e21Host: api.telegram.orgContent-Length: 66765Expect: 100-continueConnection: Keep-Alive |
Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.telegram.org |
Source: hesaphareketi-01.pdf.exe |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX |
Source: hesaphareketi-01.pdf.exe |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY |
Source: hesaphareketi-01.pdf.exe |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1223452020.00007FF7342FD000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: hesaphareketi-01.pdf.exe |
String found in binary or memory: https://aka.ms/dotnet-warnings/ |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram |
Source: RegAsm.exe, 00000003.00000002.3677180762.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002851000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/ |
Source: RegAsm.exe, 00000003.00000002.3677180762.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.0000000002ADE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/sendDocument |
Source: RegAsm.exe, 00000003.00000002.3677180762.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.orgx |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49727 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49720 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49728 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49721 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49728 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49727 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49726 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49725 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49721 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49720 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49725 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49718 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49716 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49714 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49726 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49709 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49708 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 443 |
Source: unknown |
HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49699 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49710 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49711 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49713 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49714 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49715 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49716 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49719 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49720 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49721 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49724 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49725 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49728 version: TLS 1.2 |
Source: hesaphareketi-01.pdf.exe, type: SAMPLE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734200560 |
0_2_00007FF734200560 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341E8F50 |
0_2_00007FF7341E8F50 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341FC160 |
0_2_00007FF7341FC160 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341FEB10 |
0_2_00007FF7341FEB10 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F8D40 |
0_2_00007FF7341F8D40 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341EFDA0 |
0_2_00007FF7341EFDA0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734203600 |
0_2_00007FF734203600 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341D7EC0 |
0_2_00007FF7341D7EC0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734202700 |
0_2_00007FF734202700 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F7F10 |
0_2_00007FF7341F7F10 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341E3720 |
0_2_00007FF7341E3720 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734203F70 |
0_2_00007FF734203F70 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734201800 |
0_2_00007FF734201800 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F3010 |
0_2_00007FF7341F3010 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341EF7F4 |
0_2_00007FF7341EF7F4 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F57F0 |
0_2_00007FF7341F57F0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F4890 |
0_2_00007FF7341F4890 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F88C0 |
0_2_00007FF7341F88C0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F40D0 |
0_2_00007FF7341F40D0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F2934 |
0_2_00007FF7341F2934 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7342089D0 |
0_2_00007FF7342089D0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341E69D0 |
0_2_00007FF7341E69D0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341F69D0 |
0_2_00007FF7341F69D0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF734202290 |
0_2_00007FF734202290 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341E2A60 |
0_2_00007FF7341E2A60 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341EE2F0 |
0_2_00007FF7341EE2F0 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341FF360 |
0_2_00007FF7341FF360 |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Code function: 0_2_00007FF7341FDC30 |
0_2_00007FF7341FDC30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E54178 |
3_2_00E54178 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E5E511 |
3_2_00E5E511 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E54A48 |
3_2_00E54A48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E5DC90 |
3_2_00E5DC90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E53E30 |
3_2_00E53E30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061D1BA8 |
3_2_061D1BA8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061D1BA6 |
3_2_061D1BA6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E7D78 |
3_2_061E7D78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E5598 |
3_2_061E5598 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E65E8 |
3_2_061E65E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061EB228 |
3_2_061EB228 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E3050 |
3_2_061E3050 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061EC188 |
3_2_061EC188 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E7698 |
3_2_061E7698 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E5CDB |
3_2_061E5CDB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E2340 |
3_2_061E2340 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061EE3A0 |
3_2_061EE3A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E0040 |
3_2_061E0040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061E0006 |
3_2_061E0006 |
Source: hesaphareketi-01.pdf.exe |
Binary or memory string: OriginalFilename vs hesaphareketi-01.pdf.exe |
Source: hesaphareketi-01.pdf.exe, 00000000.00000000.1208782135.00007FF7343D8000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamed430bae3-2e9e-4778-9cea-7bcd12b5f496.exe4 vs hesaphareketi-01.pdf.exe |
Source: hesaphareketi-01.pdf.exe, 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe |
Source: hesaphareketi-01.pdf.exe |
Binary or memory string: OriginalFilenameWriteLineAsyncd58ELEMENTTYPEINTERNAL.dllj% vs hesaphareketi-01.pdf.exe |
Source: hesaphareketi-01.pdf.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.hesaphareketi-01.pdf.exe.7ff7341d0000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.0.hesaphareketi-01.pdf.exe.7ff7341d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, roEs93G.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, roEs93G.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, JQn0Aia1.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, JQn0Aia1.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, YsrmZ97b.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: unknown |
Process created: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe "C:\Users\user\Desktop\hesaphareketi-01.pdf.exe" |
|
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" |
|
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: hesaphareketi-01.pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: hesaphareketi-01.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: hesaphareketi-01.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: hesaphareketi-01.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: hesaphareketi-01.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: hesaphareketi-01.pdf.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E50C6D push edi; retf |
3_2_00E50C7A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E50C45 push ebx; retf |
3_2_00E50C52 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_00E50C53 push ebx; retf |
3_2_00E50C52 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061D940A pushfd ; retf |
3_2_061D9419 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061DB521 push es; ret |
3_2_061DB530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 3_2_061D7052 push es; ret |
3_2_061D7060 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599090 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598093 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597093 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596967 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596859 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596750 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596639 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596510 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596310 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596078 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595652 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595437 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595328 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595219 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595094 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594437 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594328 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594218 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594109 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -27670116110564310s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -600000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599875s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599765s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599656s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599547s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599422s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599312s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599203s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -599090s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598984s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598875s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598765s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598656s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598547s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598422s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598312s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598203s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -598093s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597984s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597875s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597765s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597656s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597547s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597422s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597312s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597203s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -597093s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596967s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596859s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596750s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596639s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596510s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596310s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -596078s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595652s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595547s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595437s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595328s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595219s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -595094s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594984s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594875s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594765s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594656s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594547s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594437s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594328s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594218s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594109s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5744 |
Thread sleep time: -594000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 599090 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 598093 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597422 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597312 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597203 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 597093 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596967 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596859 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596750 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596639 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596510 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596310 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 596078 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595652 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595437 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595328 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595219 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 595094 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594984 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594547 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594437 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594328 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594218 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594109 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Thread delayed: delay time: 594000 |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000 |
Jump to behavior |
Source: C:\Users\user\Desktop\hesaphareketi-01.pdf.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 69E008 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: sslproxydump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Jump to behavior |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: sslproxydump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.23682040090.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.hesaphareketi-01.pdf.exe.2368207aac8.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.3672129866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.3677180762.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1218633530.000002368203A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: hesaphareketi-01.pdf.exe PID: 6992, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6596, type: MEMORYSTR |