Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00E24696 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00E2C9C7 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2C93C FindFirstFileW,FindClose, |
0_2_00E2C93C |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00E2F200 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00E2F35D |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00E2F65E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00E23A2B |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00E23D4E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00E2BF27 |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0; |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W |
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0 |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gsr10) |
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gts1c301 |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.pki.goog/gtsr100 |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02 |
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0 |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04 |
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://smtp.gmail.com |
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/ |
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/t |
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pki.goog/repository/0 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00E4CDAC |
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DCE800 |
0_2_00DCE800 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DEDBB5 |
0_2_00DEDBB5 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E4804A |
0_2_00E4804A |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DCE060 |
0_2_00DCE060 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD4140 |
0_2_00DD4140 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE2405 |
0_2_00DE2405 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF6522 |
0_2_00DF6522 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E40665 |
0_2_00E40665 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF267E |
0_2_00DF267E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD6843 |
0_2_00DD6843 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE283A |
0_2_00DE283A |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF89DF |
0_2_00DF89DF |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E40AE2 |
0_2_00E40AE2 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF6A94 |
0_2_00DF6A94 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD8A0E |
0_2_00DD8A0E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E1EB07 |
0_2_00E1EB07 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E28B13 |
0_2_00E28B13 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DECD61 |
0_2_00DECD61 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF7006 |
0_2_00DF7006 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD3190 |
0_2_00DD3190 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD710E |
0_2_00DD710E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DC1287 |
0_2_00DC1287 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE33C7 |
0_2_00DE33C7 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DEF419 |
0_2_00DEF419 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE16C4 |
0_2_00DE16C4 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD5680 |
0_2_00DD5680 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE78D3 |
0_2_00DE78D3 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DD58C0 |
0_2_00DD58C0 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE1BB8 |
0_2_00DE1BB8 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DF9D05 |
0_2_00DF9D05 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DCFE40 |
0_2_00DCFE40 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DE1FD0 |
0_2_00DE1FD0 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DEBFE6 |
0_2_00DEBFE6 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_018E3660 |
0_2_018E3660 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00408C60 |
2_2_00408C60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040DC11 |
2_2_0040DC11 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00407C3F |
2_2_00407C3F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418CCC |
2_2_00418CCC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00406CA0 |
2_2_00406CA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004028B0 |
2_2_004028B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0041A4BE |
2_2_0041A4BE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418244 |
2_2_00418244 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00401650 |
2_2_00401650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402F20 |
2_2_00402F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004193C4 |
2_2_004193C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00418788 |
2_2_00418788 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402F89 |
2_2_00402F89 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00402B90 |
2_2_00402B90 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004073A0 |
2_2_004073A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_02A9D6F0 |
2_2_02A9D6F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_02A9CAD8 |
2_2_02A9CAD8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_02A9CE20 |
2_2_02A9CE20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_02A90FD0 |
2_2_02A90FD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_02A91030 |
2_2_02A91030 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_063495A0 |
2_2_063495A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0634EDC0 |
2_2_0634EDC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06346258 |
2_2_06346258 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0634CAF8 |
2_2_0634CAF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0634634F |
2_2_0634634F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0634F517 |
2_2_0634F517 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0634BBF8 |
2_2_0634BBF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06340006 |
2_2_06340006 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06340040 |
2_2_06340040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06740740 |
2_2_06740740 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_067464C0 |
2_2_067464C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06745530 |
2_2_06745530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06741F20 |
2_2_06741F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_067486B8 |
2_2_067486B8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06741830 |
2_2_06741830 |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Code function: 6_2_01400BC0 |
6_2_01400BC0 |
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs |
High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB' |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00E24696 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00E2C9C7 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2C93C FindFirstFileW,FindClose, |
0_2_00E2C93C |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00E2F200 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00E2F35D |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00E2F65E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00E23A2B |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00E23D4E |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00E2BF27 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 100000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99886 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99343 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99234 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99125 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99015 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98906 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98797 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98687 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98468 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97921 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97702 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97593 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97374 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97262 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97072 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96966 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96794 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96687 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00DEA395 |
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe |
Code function: 0_2_00DEA364 SetUnhandledExceptionFilter, |
0_2_00DEA364 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_0040CE09 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_0040E61C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00416F6A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_004123F1 SetUnhandledExceptionFilter, |
2_2_004123F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |