Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574866065.0000000003C8F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: EY">Shortcut</control> <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> <control lang="en" key="IDT_AUTO_DISMOUNT">Auto-Dismount</control> <control lang="en" key="IDT_AUTO_DISMOUNT_ON">Dismount all when:</contro |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> <string lang="en" key="ERR_PROCESS_KEYFILE">Error while processing keyfile!</string> <string lang="en" key="ERR_PROCESS_KEYFILE_PATH">Error processing keyfile path!</string> <string |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110578546.00000000004EA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110578546.00000000004EA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: <string lang="en" key="CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2327641032.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: %s\autorun.inf |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2327641032.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2327641032.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2327755141.000000000056A000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110522977.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: %s\autorun.inf |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110522977.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110522977.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000000.2110578546.000000000056A000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003B00000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: %s\autorun.inf |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003B00000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003B00000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003B00000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003B00000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: <string lang="en" key="CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2328394090.0000000003C38000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000000.2327068060.000000000056A000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000000.2327068060.00000000004EA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000000.2327068060.00000000004EA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: <string lang="en" key="CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574175356.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: %s\autorun.inf |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574175356.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574175356.0000000000492000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: %s\autorun.inf |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: <string lang="en" key="CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> |
Source: APERTURA RAD 10000065665655.exe |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: %s\autorun.inf |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: IDC_PREF_LOGON_STARTMOUNT_TC_VOLUME[autorun] |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: TC_TRAVELER_DISKTrueCrypt\TrueCrypt.exe /q background%s%s%s%s /m rm /v %s /e /c y /m roCANT_CREATE_AUTORUNw,ccs=UNICODE%s\autorun.inf%s\TrueCrypt\Language.%s.xml%s\Language.%s.xmlen%s\TrueCrypt\truecrypt-x64.sys%s\truecrypt-x64.sys%s\TrueCrypt\truecrypt.sys%s\truecrypt.sys%s\TrueCrypt\TrueCrypt Format.exe%s\TrueCrypt Format.exe%s\TrueCrypt\TrueCrypt.exe%s\TrueCrypt.exe%s\TrueCrypt"NO_FILE_SELECTEDNO_PATH_SELECTEDSELECT_DEST_DIROPEN_TITLEAUTORUN_MAY_NOT_ALWAYS_WORKPKCS5_PRF_CHANGEDPASSWORD_CHANGEDKEYFILE_CHANGEDMOUNTED_NOPWCHANGEMOUNTED_NO_PKCS5_PRF_CHANGESYS_PARTITION_OR_DRIVE_APPEARS_FULLY_ENCRYPTEDSYSTEM_ENCRYPTION_IN_PROGRESS_ELSEWHERE/sysencGlobal\TrueCrypt System Encryption Wizard/dsysencSYS_ENCRYPTION_OR_DECRYPTION_IN_PROGRESSCONFIRM_DECRYPT_SYS_DEVICE_CAUTIONCONFIRM_DECRYPT_SYS_DEVICECANNOT_DECRYPT_HIDDEN_OSSYS_DRIVE_NOT_ENCRYPTED/isysencHIDDEN_OS_PREINFO/csysenc/zinplaceCOMMAND_LINE_ERRORbackgroundpreferencesUACrecoveryheaderbakbksmtimestamptsrmroBAD_DRIVE_LETTERnonlogondevices/w/wipecache/v/volume/tokenlib/s/silent/q/quit/p/password/m/mountoption/l/letter/k/keyfile/h/history/?/help/f/force/e/explore/d/dismount/c/cache/b/beep/a/auto-EmbeddingTrueCryptTrueCryptTaskBarIcon |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: <control lang="en" key="IDT_AUTORUN">AutoRun Configuration (autorun.inf)</control> |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: <string lang="en" key="CANT_CREATE_AUTORUN">Error: Cannot create autorun.inf</string> |
Source: TeamsUpdater.exe.0.dr |
Binary or memory string: AutoRun Configuration (autorun.inf) |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D9253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_000D9253 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000EC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_000EC291 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_000DC34D |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D9665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_000D9665 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_000D880C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D783C FindFirstFileW,FindNextFileW, |
3_2_000D783C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0011E879 FindFirstFileExA, |
3_2_0011E879 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000E9AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_000E9AF5 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_000DBB30 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_000DBD37 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0044ED90 GetModuleFileNameW,GetModuleFileNameW,_wcsrchr,FindFirstFileW,_malloc,GetModuleFileNameW,_wcsrchr,CreateFileW,ReadFile,CloseHandle,FindNextFileW,FindClose, |
3_2_0044ED90 |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/ |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019C1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: APERTURA RAD 10000065665655.exe, 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, APERTURA RAD 10000065665655.exe, 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, APERTURA RAD 10000065665655.exe, 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpG |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpSystem32 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019C1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpl |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/r |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt. |
Source: TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt.org/ |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt.org/applink?version=7.1a%s%s&dest=%s |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt.org/applink?version=7.1a%s%s&dest=%s&os=T |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt.org/applink?version=7.1a&dest=ms-debug-tools-x |
Source: APERTURA RAD 10000065665655.exe, TeamsUpdater.exe.0.dr |
String found in binary or memory: http://www.truecrypt.org/docs/?s=troubleshooting |
Source: TeamsUpdater.exe.0.dr |
String found in binary or memory: https://www.truecrypt.org/applink?version=7.1a&dest=err-report%s&os=%s&osver=%d.%d.%d&arch=%s&cpus=% |
Source: TeamsUpdater.exe.0.dr |
String found in binary or memory: https://www.truecrypt.org/applink?version=7.1a&dest=syserr-report&os=%s&osver=%d.%d.%d&arch=%s&err=% |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574866065.0000000003C8F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004078B7 |
0_2_004078B7 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040405A |
0_2_0040405A |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040406E |
0_2_0040406E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00402812 |
0_2_00402812 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0046D830 |
0_2_0046D830 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004040BE |
0_2_004040BE |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040396E |
0_2_0040396E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0041F975 |
0_2_0041F975 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00403989 |
0_2_00403989 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004071BD |
0_2_004071BD |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00408274 |
0_2_00408274 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004042D4 |
0_2_004042D4 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00478AA8 |
0_2_00478AA8 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040431F |
0_2_0040431F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00404328 |
0_2_00404328 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040433C |
0_2_0040433C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0041EBC1 |
0_2_0041EBC1 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004043A9 |
0_2_004043A9 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040440F |
0_2_0040440F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040448F |
0_2_0040448F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00404544 |
0_2_00404544 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0041EDC0 |
0_2_0041EDC0 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_004076D8 |
0_2_004076D8 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00401E81 |
0_2_00401E81 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00407F49 |
0_2_00407F49 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00407F2C |
0_2_00407F2C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00403FF4 |
0_2_00403FF4 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00408FFF |
0_2_00408FFF |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00407F8A |
0_2_00407F8A |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0010E0CC |
3_2_0010E0CC |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000EF0FA |
3_2_000EF0FA |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00124159 |
3_2_00124159 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00108168 |
3_2_00108168 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_001161F0 |
3_2_001161F0 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0010E2FB |
3_2_0010E2FB |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0012332B |
3_2_0012332B |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000F739D |
3_2_000F739D |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_001074E6 |
3_2_001074E6 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0010E558 |
3_2_0010E558 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00108770 |
3_2_00108770 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_001078FE |
3_2_001078FE |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00103946 |
3_2_00103946 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0011D9C9 |
3_2_0011D9C9 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000F7A46 |
3_2_000F7A46 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000EDB62 |
3_2_000EDB62 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000F7BAF |
3_2_000F7BAF |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00107D33 |
3_2_00107D33 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000F6E0E |
3_2_000F6E0E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00105E5E |
3_2_00105E5E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0010DE9D |
3_2_0010DE9D |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000E3FCA |
3_2_000E3FCA |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00106FEA |
3_2_00106FEA |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040405A |
3_2_0040405A |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040406E |
3_2_0040406E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_004040BE |
3_2_004040BE |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_004042D4 |
3_2_004042D4 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040431F |
3_2_0040431F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00404328 |
3_2_00404328 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040433C |
3_2_0040433C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_004043A9 |
3_2_004043A9 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040440F |
3_2_0040440F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040448F |
3_2_0040448F |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00404544 |
3_2_00404544 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00402812 |
3_2_00402812 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0046D830 |
3_2_0046D830 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0040396E |
3_2_0040396E |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00403989 |
3_2_00403989 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00478AA8 |
3_2_00478AA8 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00401E81 |
3_2_00401E81 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00403FF4 |
3_2_00403FF4 |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\Harddisk%d\Partition0 |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\HarddiskVolume |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\Harddisk%d\Partition%d |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\Harddisk |
Source: TeamsUpdater.exe.0.dr |
Binary string: Tahomadefaultfont_normal%ls%c\Device\TrueCryptVolumeUNMOUNT_LOCK_FAILEDEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\SystemSoftware\Microsoft\Windows\CurrentVersion\Uninstall\TrueCryptSystem Encryption.xml\\.\TrueCrypt /a favorites /a devices" /q preferences /a logonSoftware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRUMRUListSoftware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRUMRUListExCLEAN_WINMRU_FAILED%cSoftware\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisited%sMRUPidl |
Source: TeamsUpdater.exe.0.dr |
Binary string: F\DEVICE\\Device\\\.\%struecrypt%lu+ |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\Harddisk%d\Partition |
Source: TeamsUpdater.exe.0.dr |
Binary string: B`HDPH@:%hs\Device\Harddisk\PartitionTrueCrypt::BootEncryption::RegisterFilter:1704" |
Source: TeamsUpdater.exe.0.dr |
Binary string: \Device\ |
Source: TeamsUpdater.exe.0.dr |
Binary string: \DEVICE\ |
Source: TeamsUpdater.exe.0.dr |
Binary string: @HotkeyCodeCloseSecurityTokenSessionsHotkeyModCloseSecurityTokenSessionsHotkeyCodeShowHideMainWindowHotkeyModShowHideMainWindowHotkeyCodeMountFavoriteVolumesHotkeyModMountFavoriteVolumesHotkeyCodeForceDismountAllWipeExitHotkeyModForceDismountAllWipeExitHotkeyCodeForceDismountAllWipeHotkeyModForceDismountAllWipeHotkeyCodeDismountAllWipeHotkeyModDismountAllWipeHotkeyCodeWipeCacheHotkeyModWipeCacheHotkeyCodeDismountAllHotkeyModDismountAllHotkeyCodeAutoMountDevicesHotkeyModAutoMountDevicesDisplayMsgBoxOnHotkeyDismountPlaySoundOnHotkeyMountDismountSecurityTokenLibraryLastSelectedDriveHiddenSystemLeakProtNotifStatusDisableSystemCrashDetectionCloseSecurityTokenSessionsAfterMountMountVolumesReadOnlyMountVolumesRemovablePreserveTimestampsUseKeyfilesHiddenSectorDetectionStatusMaxVolumeIdleTimeForceAutoDismountDismountOnScreenSaverDismountOnPowerSavingDismountOnLogOffCloseBackgroundTaskOnNoVolumesEnableBackgroundTaskMountFavoritesOnLogonMountDevicesOnLogonStartOnLogonWipeCacheOnAutoDismountWipePasswordCacheOnExitCachePasswordsSaveVolumeHistoryUseDifferentTrayIconIfVolumesMountedOpenExplorerWindowAfterMountIDPM_PROPERTIESIDM_VERIFY_RESCUE_DISKIDM_CREATE_RESCUE_DISKIDM_SYS_ENC_SETTINGSIDM_CHANGE_SYS_HEADER_KEY_DERIV_ALGOIDM_CHANGE_SYS_PASSWORDENCRYPTPERMANENTLY_DECRYPTIDM_SYSENC_RESUME\Device\Harddisk%d\Partition0\Device\Harddisk%d\Partition VOL_CREATION_WIZARD_NOT_FOUNDTrueCrypt Format.exe"CANNOT_SET_TIMERIDD_PCDM_CHANGE_PKCS5_PRFIDD_PCDM_ADD_REMOVE_VOL_KEYFILESIDD_PCDM_REMOVE_ALL_KEYFILES_FROM_VOLUNCHANGEDIDD_PASSWORDCHANGE_DLGUNSUPPORTED_CHARS_IN_PWDALGO_NOT_SUPPORTED_FOR_SYS_ENCRYPTIONKEYFILES_NOT_SUPPORTED_FOR_SYS_ENCRYPTIONALT_KEY_CHARS_NOT_FOR_SYS_ENCRYPTIONKEYB_LAYOUT_SYS_ENC_EXPLANATIONKEYB_LAYOUT_CHANGE_PREVENTEDCANT_CHANGE_KEYB_LAYOUT_FOR_SYS_ENCRYPTION00000409FIRST_AVAILABLEIDD_TRAVELER_DLGTRAVELER_DISK_CREATEDshell\dismount=%s |
Source: TeamsUpdater.exe.0.dr |
Binary string: CSYS_ENCRYPTION_PRETEST_INFO2_PORTION_4SYS_ENCRYPTION_PRETEST_INFO2_PORTION_3SYS_ENCRYPTION_PRETEST_INFO2_PORTION_2SYS_ENCRYPTION_PRETEST_INFO2_PORTION_1RESCUE_DISK_HELP_PORTION_9RESCUE_DISK_HELP_PORTION_8RESCUE_DISK_HELP_PORTION_7RESCUE_DISK_HELP_PORTION_6RESCUE_DISK_HELP_PORTION_5RESCUE_DISK_HELP_PORTION_4RESCUE_DISK_HELP_PORTION_3RESCUE_DISK_HELP_PORTION_2RESCUE_DISK_HELP_PORTION_1DECOY_OS_INSTRUCTIONS_PORTION_18DECOY_OS_INSTRUCTIONS_PORTION_17DECOY_OS_INSTRUCTIONS_PORTION_16DECOY_OS_INSTRUCTIONS_PORTION_15DECOY_OS_INSTRUCTIONS_PORTION_14DECOY_OS_INSTRUCTIONS_PORTION_13DECOY_OS_INSTRUCTIONS_PORTION_12DECOY_OS_INSTRUCTIONS_PORTION_11DECOY_OS_INSTRUCTIONS_PORTION_10DECOY_OS_INSTRUCTIONS_PORTION_9DECOY_OS_INSTRUCTIONS_PORTION_8DECOY_OS_INSTRUCTIONS_PORTION_7DECOY_OS_INSTRUCTIONS_PORTION_6DECOY_OS_INSTRUCTIONS_PORTION_5DECOY_OS_INSTRUCTIONS_PORTION_4DECOY_OS_INSTRUCTIONS_PORTION_3DECOY_OS_INSTRUCTIONS_PORTION_2DECOY_OS_INSTRUCTIONS_PORTION_1How to Remove Extra Boot PartitionEXTRA_BOOT_PARTITION_REMOVAL_INSTRUCTIONSHow to Create Decoy OSTrueCrypt Rescue Disk HelpPre-Boot TroubleshootingLEGAL_NOTICES_DLG_TITLEHIDDEN_FILES_PRESENT_IN_KEYFILE_PATHSYSENC_MOUNT_WITHOUT_PBA_NOTEPASSWORD_OR_MODE_WRONGPASSWORD_OR_KEYFILE_OR_MODE_WRONGPASSWORD_WRONGPASSWORD_OR_KEYFILE_WRONGERR_UNKNOWNERR_SYS_HIDVOL_HEAD_REENC_MODE_WRONGERR_NONSYS_INPLACE_ENC_INCOMPLETEERR_ENCRYPTION_NOT_COMPLETEDERR_VOL_FORMAT_BADERR_SELF_TESTS_FAILEDNEW_VERSION_REQUIREDDRIVER_VERSIONACCESS_DENIEDNO_FREE_DRIVESVOL_MOUNT_FAILEDFILE_OPEN_FAILEDERR_CIPHER_INIT_WEAK_KEYERR_CIPHER_INIT_FAILUREVOL_SEEKINGWRONG_VOL_TYPECOMPRESSION_NOT_SUPPORTEDVOL_SIZE_WRONGOPENFILES_LOCKOPENFILES_DRIVERNOT_FOUND.%xIDD_CIPHER_TEST_DLG%02xTEST_INCORRECT_TEST_DATA_UNIT_SIZETEST_INCORRECT_SECONDARY_KEY_SIZETEST_CIPHERTEXT_SIZETEST_PLAINTEXT_SIZETEST_KEY_SIZETESTS_PASSEDTESTS_FAILEDGetSystemWow64DirectoryAX:\pagefile.sys\\.\X:ENTER_TOKEN_PASSWORDIDD_TOKEN_PASSWORDPKCS11_MODULE_INIT_FAILEDNO_PKCS11_MODULE_SPECIFIEDisoburn.exe\Device\Harddisk%d\Partition%dDisplayName{Software\Microsoft\Windows\CurrentVersion\Uninstall..\\?\\??\%sASK_REMOVE_DEVICE_WRITE_PROTECTION\Device\HarddiskVolumeMOUNTED_DEVICE_FORCED_READ_ONLY_WRITE_PROTECTIONMOUNTED_DEVICE_FORCED_READ_ONLYMOUNTED_CONTAINER_FORCED_READ_ONLYMOUNTED_VOLUME_DIRTYHIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT\Device\Harddisk%d\Partition0FILE_IN_USE_FAILEDFILE_IN_USE\Device\Harddisk%d\PartitionUNC |
Source: TeamsUpdater.exe.0.dr |
Binary string: @del "%s" "%s"%s\TrueCrypt_Write_Protection_Removal.diskpart%s\TrueCrypt_Write_Protection_Removal.cmd\Device\Harddisk%d\Partition%dp |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: action to perform from the following:</string> <string lang="en" key="REPAIR_REINSTALL">Repair/Reinstall</string> <string lang="en" key="UPGRADE">Upgrade</string> <string lang="en" key="UNINSTALL">Uninstall</string> <string lang="en" key="S |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: Post-Install Task - Release Notes |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: Post-Install Task - Tutorial |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: Post-Install Task - Tutorial |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: Post-Install Task - Release Notes |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: CSplashDlgCustomDlgWipeModeSystemEncryptionStatusIn-Place Encryption Wipe AlgoIn-Place EncryptionPost-Install Task - TutorialPost-Install Task - Release Notes%ls (*.*)%c*.*%c%ls (*.tc)%c*.tc%c%cALL_FILESTC_VOLUMESnotepad |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: -starter |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: HD`HDPH@-sp-x64-basicBasic-starter-ultimateUltimate-datacenterDatacenter-enterpriseEnterprise-businessBusinessProfessional-standardStandard-server2008r272008vista2003-pro-homexp2000SOFTWARE\Microsoft\Windows NT\CurrentVersionwinhttp://www.truecrypt.org/applink?version=7.1a%s%s&dest=%s&os=T |
Source: APERTURA RAD 10000065665655.exe |
String found in binary or memory: <string lang="en" key="REPAIR_REINSTALL">Repair/Reinstall</string> |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: k7rn7l32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: ntd3ll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000ECB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
3_2_000ECB50 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00405B70 push 8100012Ah; iretd |
0_2_00405B7C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0040A40F push 810000BEh; iretd |
0_2_0040A414 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_00476EBD push ecx; ret |
0_2_00476ED0 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00127106 push ecx; ret |
3_2_00127119 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0012E54D push esi; ret |
3_2_0012E556 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0012C97E push eax; retf |
3_2_0012C981 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0012C986 pushad ; retf |
3_2_0012C989 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0012C9A6 pushfd ; retf |
3_2_0012C9A9 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00127A28 push eax; ret |
3_2_00127A46 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00104E56 push ecx; ret |
3_2_00104E69 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00130EC2 push esp; ret |
3_2_00130F09 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00405B70 push 8100012Ah; iretd |
3_2_00405B7C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00476EBD push ecx; ret |
3_2_00476ED0 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000ECB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
3_2_000ECB50 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D9253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_000D9253 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000EC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_000EC291 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_000DC34D |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D9665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_000D9665 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_000D880C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000D783C FindFirstFileW,FindNextFileW, |
3_2_000D783C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0011E879 FindFirstFileExA, |
3_2_0011E879 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000E9AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_000E9AF5 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_000DBB30 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000DBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_000DBD37 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0044ED90 GetModuleFileNameW,GetModuleFileNameW,_wcsrchr,FindFirstFileW,_malloc,GetModuleFileNameW,_wcsrchr,CreateFileW,ReadFile,CloseHandle,FindNextFileW,FindClose, |
3_2_0044ED90 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_000ECB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
3_2_000ECB50 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 0_2_0046DF62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0046DF62 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_001049F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_001049F9 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0010BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_0010BB22 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00104B47 SetUnhandledExceptionFilter, |
3_2_00104B47 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_00104FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_00104FDC |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: 3_2_0046DF62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_0046DF62 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\ |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\30 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\N |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager# |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager! |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager0 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\@ |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\8 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\y |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerR |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\1 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\r |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp, logs.dat.3.dr |
Binary or memory string: [Program Manager] |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\k |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerG |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerH |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\# |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\d |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Managernutes } |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerM |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000003.2368972498.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager8 |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\6? |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerspirpchM |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019B8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: |Program Manager| |
Source: APERTURA RAD 10000065665655.exe, 00000003.00000002.4574618054.00000000019D9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager5Q\04 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoA, |
0_2_00482360 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoA, |
3_2_000DF8D1 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: EnumSystemLocalesW, |
3_2_00122036 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
3_2_001220C3 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoW, |
3_2_00122313 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: EnumSystemLocalesW, |
3_2_00118404 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
3_2_0012243C |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoW, |
3_2_00122543 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
3_2_00122610 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoW, |
3_2_001188ED |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
3_2_00121CD8 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: EnumSystemLocalesW, |
3_2_00121F50 |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: EnumSystemLocalesW, |
3_2_00121F9B |
Source: C:\Users\user\Desktop\APERTURA RAD 10000065665655.exe |
Code function: GetLocaleInfoA, |
3_2_00482360 |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574866065.0000000003C8F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.39c0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.APERTURA RAD 10000065665655.exe.d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.5fe712.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.APERTURA RAD 10000065665655.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4574618054.00000000019C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574866065.0000000003C8F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2327919515.00000000005FE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4574618054.0000000001977000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.4573763929.00000000000D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2328225707.00000000039C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 4852, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: APERTURA RAD 10000065665655.exe PID: 5080, type: MEMORYSTR |