Source: |
Binary string: wntdll.pdbUGP source: QUG24-2003700542005180.exe, 00000006.00000003.1309599352.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, QUG24-2003700542005180.exe, 00000006.00000003.1308386677.0000000004610000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: QUG24-2003700542005180.exe, 00000006.00000003.1309599352.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, QUG24-2003700542005180.exe, 00000006.00000003.1308386677.0000000004610000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, |
6_2_00452126 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, |
6_2_0045C999 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, |
6_2_00436ADE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
6_2_00434BEE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0045DD7C FindFirstFileW,FindClose, |
6_2_0045DD7C |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, |
6_2_0044BD29 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, |
6_2_00436D2D |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
6_2_00442E1F |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
6_2_00475FE5 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, |
6_2_0044BF8D |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686- |
Source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
6_2_00459FFF |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
6_2_0047C08E |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, |
6_2_00434D50 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
6_2_004461ED |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, |
6_2_004364AA |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00409A40 |
6_2_00409A40 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00412038 |
6_2_00412038 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00427161 |
6_2_00427161 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0047E1FA |
6_2_0047E1FA |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004212BE |
6_2_004212BE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00443390 |
6_2_00443390 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00443391 |
6_2_00443391 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0041A46B |
6_2_0041A46B |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0041240C |
6_2_0041240C |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00446566 |
6_2_00446566 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004045E0 |
6_2_004045E0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0041D750 |
6_2_0041D750 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004037E0 |
6_2_004037E0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00427859 |
6_2_00427859 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00412818 |
6_2_00412818 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0040F890 |
6_2_0040F890 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0042397B |
6_2_0042397B |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00411B63 |
6_2_00411B63 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0047CBF0 |
6_2_0047CBF0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044EBBC |
6_2_0044EBBC |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00412C38 |
6_2_00412C38 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00490D70 |
6_2_00490D70 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044ED9A |
6_2_0044ED9A |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00423EBF |
6_2_00423EBF |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00424F70 |
6_2_00424F70 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0041AF0D |
6_2_0041AF0D |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_041B4090 |
6_2_041B4090 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F1C10 |
8_2_014F1C10 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F5148 |
8_2_014F5148 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F5158 |
8_2_014F5158 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F1978 |
8_2_014F1978 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F1988 |
8_2_014F1988 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F4800 |
8_2_014F4800 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F4492 |
8_2_014F4492 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_014F4351 |
8_2_014F4351 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05408D60 |
8_2_05408D60 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540D4B8 |
8_2_0540D4B8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540098D |
8_2_0540098D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05408D50 |
8_2_05408D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540CD08 |
8_2_0540CD08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540CCC0 |
8_2_0540CCC0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540CCF7 |
8_2_0540CCF7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540D4A8 |
8_2_0540D4A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B750E |
8_2_054B750E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054BB5C8 |
8_2_054BB5C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B74D8 |
8_2_054B74D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054BACF8 |
8_2_054BACF8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B58F8 |
8_2_054B58F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B7AA2 |
8_2_054B7AA2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B7D9A |
8_2_054B7D9A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B74D8 |
8_2_054B74D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B7F17 |
8_2_054B7F17 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054BA9B0 |
8_2_054BA9B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05757BF0 |
8_2_05757BF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05758C88 |
8_2_05758C88 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05757F17 |
8_2_05757F17 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: String function: 00445975 appears 65 times |
|
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: String function: 0041171A appears 37 times |
|
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: String function: 0041718C appears 45 times |
|
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: String function: 0040E6D0 appears 35 times |
|
Source: QUG24-2003700542005180.exe, 00000006.00000003.1307568802.000000000473D000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs QUG24-2003700542005180.exe |
Source: QUG24-2003700542005180.exe, 00000006.00000003.1310042426.0000000004603000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs QUG24-2003700542005180.exe |
Source: 6.2.QUG24-2003700542005180.exe.3d00000.1.raw.unpack, Specification.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.QUG24-2003700542005180.exe.3d00000.1.raw.unpack, ConnectionHelperTask.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.QUG24-2003700542005180.exe.3d00000.1.raw.unpack, ConnectionHelperTask.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, eMD8oOIH3tOpACb6lLN.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, eMD8oOIH3tOpACb6lLN.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, oOvFRkVmPZntMcG1dRl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, oOvFRkVmPZntMcG1dRl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, oOvFRkVmPZntMcG1dRl.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, |
6_2_00464422 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, |
6_2_004364AA |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, |
6_2_0047A999 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, |
6_2_0043614F |
Source: unknown |
Process created: C:\Users\user\Desktop\QUG24-2003700542005180.exe "C:\Users\user\Desktop\QUG24-2003700542005180.exe" |
|
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUG24-2003700542005180.exe" |
|
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\QUG24-2003700542005180.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: |
Binary string: wntdll.pdbUGP source: QUG24-2003700542005180.exe, 00000006.00000003.1309599352.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, QUG24-2003700542005180.exe, 00000006.00000003.1308386677.0000000004610000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: QUG24-2003700542005180.exe, 00000006.00000003.1309599352.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, QUG24-2003700542005180.exe, 00000006.00000003.1308386677.0000000004610000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Source: 6.2.QUG24-2003700542005180.exe.3d00000.1.raw.unpack, ConnectionHelperTask.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, oOvFRkVmPZntMcG1dRl.cs |
.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: 6.2.QUG24-2003700542005180.exe.3d00000.1.raw.unpack, Specification.cs |
.Net Code: ListSpecification System.AppDomain.Load(byte[]) |
Source: 8.2.RegSvcs.exe.56d0000.8.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 8.2.RegSvcs.exe.56d0000.8.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 8.2.RegSvcs.exe.56d0000.8.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 8.2.RegSvcs.exe.56d0000.8.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 8.2.RegSvcs.exe.56d0000.8.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: 8.2.RegSvcs.exe.3f8d9d0.3.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 8.2.RegSvcs.exe.3f8d9d0.3.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 8.2.RegSvcs.exe.3f8d9d0.3.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 8.2.RegSvcs.exe.3f8d9d0.3.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 8.2.RegSvcs.exe.3f8d9d0.3.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: 8.2.RegSvcs.exe.3fdd9f0.4.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 8.2.RegSvcs.exe.3fdd9f0.4.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 8.2.RegSvcs.exe.3fdd9f0.4.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 8.2.RegSvcs.exe.3fdd9f0.4.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 8.2.RegSvcs.exe.3fdd9f0.4.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, AssemblyLoader.cs |
.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[]) |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, wDs8PcUjkGmiVMsShV.cs |
.Net Code: hV2gPokIalUZTL4Gg9x System.AppDomain.Load(byte[]) |
Source: Yara match |
File source: 8.2.RegSvcs.exe.5480000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 8.2.RegSvcs.exe.3f3d790.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1329877009.0000000005480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 7324, type: MEMORYSTR |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004171D1 push ecx; ret |
6_2_004171E4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_0540CB21 push 0002DF5Ch; retf |
8_2_0540CB2D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_054B0BB0 pushfd ; iretd |
8_2_054B0BB1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05A43156 push es; iretd |
8_2_05A43169 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 8_2_05A4244B pushad ; ret |
8_2_05A42459 |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, cm74vVXsmaMoaBXoQ2.cs |
High entropy of concatenated method names: 'HkIP7pdi3', 'GYtfxgLNX', 'PGSwErMIt', 'l5qBxnAgr', 'eD3hBVkHkjGGJwCf4LW', 'MZFSwnkjwXL4YIi7FLo', 'Csx7WGkBYyn1gp2shjM', 'JDchS3kJHMVJyqymooI', 'I1EMTRkDuhHew0S2qSV', 'zbbKAWkdUqsgvrRHwbf' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, bYrxj13l5RWcC47BuB.cs |
High entropy of concatenated method names: 'ruVrZK1pU', 'LaVx4vq8n', 'KmqU9hETiigcCXTsudk', 'ym4yLwEcysULFBfMbhc', 'UwFQXfE4g86mwUqQQIy', 'By4J2XEDfxeCPk4PH1v', 'DkV0TjEdYFCieAeNiDb', 'SkCQ6ZEuL7QHr1UhnKc' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, AssemblyLoader.cs |
High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'AZ7rw5kQIJYhAqxug4l' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, owjDweIfdaLrXIiaeGm.cs |
High entropy of concatenated method names: 'pxrIBFsHdC', 'PWrIJvTvlI', 'y6uitRqXvCUBvcIUBwr', 'tYopmfqeMkoGUlB8RNN', 'hBkbJEqP53K2XIBKbIt', 'LdLYCbqf7ygLf6J7pqf', 'X3l01iqwIZgSJaRFro3', 'LbCjJHqhsl5OISA6aIn', 'c066xvqYZUOpPZ233n3', 'ur8xMgqBgvZCItY0Z0R' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, cllZos6K8EdN22bu8Cb.cs |
High entropy of concatenated method names: 'FpbIy2HXSq', 'siAONBn9tbZQR362sRI', 'qMwm7rnR9G3WmHDcVUa', 'HtXL2qnZQMj9ElYQTCJ', 'KAv688OE0O', 'xLb62eVZRB', 'uvL6IGF5qd', 'Wvn6VyYjYU', 'HYS605JMeT', 'CcE67pGNl5' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, dGaVDeILuqeslm3osYd.cs |
High entropy of concatenated method names: 'pAUI1kjJqR', 'CPsIifQAa9', 'eVhIsPdMv6', 'H2ZRoEqgB89vkjXrkaO', 'C0RjYGqrKMa7s6KDTjV', 'D5pw0Yqxnqr2ZopTKdF', 'P04EMpqvmU3xyIZWpSI', 'Iwwgh0qQv6LG24cs5Eq', 'WFkpSxqUDEU2Ymu0xOD', 'Duodv7qFr0OH1yLUWtn' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, GcfHkIIT1c9dp6ZVZS4.cs |
High entropy of concatenated method names: 'YDUI4DqXtI', 'dVmIuGSwJc', 'pWIymQnSgfK4td1MjnJ', 'xVYoPhnmPIy7hIkyPhM', 'Nqfn8qn6s9UxLHrCuZH', 'fQ19Kinp6P4LIns9ST0', 'VGxpTknKZpOAVSqEpWk', 'wFGd7KnOnR3cN6W8qAT', 'hWOrGRn8nvsvupO5HUh', 'oFGXGfn2syb8DUtbYvK' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, wDs8PcUjkGmiVMsShV.cs |
High entropy of concatenated method names: 'Fi3nNBBK1', 'mIUNW5o26', 'jb3lgIMWa', 'ei7A2llLr', 'c4F5CTu1F', 'GMwEscFm9', 'V9RklPNOO', 'N0GtYDEw8', 'IBtW4LMpD', 'CyEqrImZB' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, eMD8oOIH3tOpACb6lLN.cs |
High entropy of concatenated method names: 'fA5IDDNtiV', 'dA4IdIk8MN', 'ooph4UqD6J2cwulRLhf', 'KEpp6jqd2HBFrpEbL8x', 'v05tkKqTkYPNRbKVEpM', 'SEbIFcqcxM94U59fPSF', 'jXGq38q4gI0pJOhspVY', 'DwXinVquipXmQoTUBLO', 'IdjgqBqGLhcihiKulIh', 'L0LqVqqyKA87MfMS9yh' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, KIGYTfVacgDhpMwAiv6.cs |
High entropy of concatenated method names: 'XhQLqQ9UIy', 'jVQXlnnUf9n17NOVCWp', 'kMce7pnFYlZke2Zv6Dl', 'EUV6o0n5wrPSmbe68yc', 'iSqovZnEy3kk7MLnY3L', 'tu1HQTnvGDhv5KBMlmj', 'ojap6InQpbcbXgr3GuD', 'AgvqNBnkWfZUe43sY0A' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, oOvFRkVmPZntMcG1dRl.cs |
High entropy of concatenated method names: 'wKskj2nNJca52yhujGI', 'NPV0CTnbyNoM1QYuA70', 'Ox701ed6Bu', 'aw5TnvnoskErtxNriM5', 'oGilBqnLlHvHwLC0Vvo', 'LqaGNwnMe2xwti3PDeu', 'td4sa4n1ToG68xWTbEM', 'PbHpVCniELDUss0ZBrT', 'VChQS9nsZWEXxOayXA9', 'bdRPyInhcJPX3Lb6ofH' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, Tt5tygJ0scRjDZRdmq.cs |
High entropy of concatenated method names: 'ivjjcM0NP', 'QVhD18aZM', 'YW5dVi60K', 'nfpT3QB2A', 'MMcc4pi5J', 'mrZ4qBdqf', 'v2guuf5Tk', 'hwwGHEAiv', 'PZN9c1kuFZJtKu1eZ4j', 'mteQJJkGTKp8SGimWsk' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, x72CmJ9dqp8VHf2u1o.cs |
High entropy of concatenated method names: 'lTTZTkRsx', 'OjCoigEkgSi7GeWDqXT', 'hUp06SEtYjhTmw3d135', 'Y4hejNEWeBJLRToy8D0', 'XdUy0cEqJ7ofWx0uQFS', 'Y5Uae8EnU1vHfSTDfCM', 'IQBDi8ENqeYf8CgLPCB', 'HIg6wdEbZ6uQNUDZrNv', 'uGBA37El4kZljFCJ5rT', 'lp5t0IEAbbB1dms6awD' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, Ep4wC9762dHZLAvJJXC.cs |
High entropy of concatenated method names: 'b0W79WOsYM', 'xSD7RYDyPa', 'KRZ7ZLnTIj', 'aUs735CEdQ', 'D6I7gObCVx', 'Kfx7rqFiHQ', 'SCn7xk0nDh', 'Fxx7vwM9N6', 'eku7QDvliw', 'jOQ7UGAegN' |
Source: 8.2.RegSvcs.exe.5630000.7.raw.unpack, AsGkHG7Ft5PTaKMrTGJ.cs |
High entropy of concatenated method names: 'OOarJD0jWP', 're1rHgBL2u', 'MhwrjkXpd2', 'R47rDnmPDk', 'IY7rdPEsRM', 'BwRrTLaMop', 'f4Prc0xXUL', 'oK47BuAm6Y', 'VKKr4KwinG', 'Kmvrub96f7' |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
6_2_004772DE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
6_2_004375B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLLT-EQ |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLLCUCKOOMON.DLL |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, |
6_2_00452126 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, |
6_2_0045C999 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, |
6_2_00436ADE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
6_2_00434BEE |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0045DD7C FindFirstFileW,FindClose, |
6_2_0045DD7C |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, |
6_2_0044BD29 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, |
6_2_00436D2D |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
6_2_00442E1F |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
6_2_00475FE5 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, |
6_2_0044BF8D |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, |
6_2_0040E470 |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmware\V |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq 1:en-CH:Microsoft|VMWare|Virtual |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMwareLReqPN |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmGuestLib.dll@\eq |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: v7O4l4dh9sDfm42 XobmcoLH@\eq0Microsoft|VMWare|Virtual |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmware |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMware|VIRTUAL|A M I|Xen@\eq |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmGuestLib.dll |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: NTTBC LSDZ8D9MVM@\eq0VMware|VIRTUAL|A M I|Xen |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq 1:en-CH:VMware|VIRTUAL|A M I|Xen |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMware|VIRTUAL|A M I|Xen |
Source: QUG24-2003700542005180.exe, 00000006.00000002.1310995977.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}i& |
Source: RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Microsoft|VMWare|Virtual |
Source: RegSvcs.exe, 00000008.00000002.1330127818.0000000005630000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: qWxObqgzxIqemUDIBsD |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Microsoft|VMWare|Virtual@\eq |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq"C:\Windows\system32\vmGuestLib.dll@ |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: $eq"C:\Windows\system32\vmGuestLib.dll |
Source: RegSvcs.exe, 00000008.00000002.1328006964.000000000318A000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMWareLReqH( |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, |
6_2_0040D6D0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_041B3F20 mov eax, dword ptr fs:[00000030h] |
6_2_041B3F20 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_041B3F80 mov eax, dword ptr fs:[00000030h] |
6_2_041B3F80 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_041B2900 mov eax, dword ptr fs:[00000030h] |
6_2_041B2900 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
6_2_00426DA1 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0042202E SetUnhandledExceptionFilter, |
6_2_0042202E |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_004230F5 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_00417D93 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_00421FA7 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, |
6_2_0040D6D0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
6_2_004375B0 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
6_2_00445DD3 |
Source: QUG24-2003700542005180.exe |
Binary or memory string: Shell_TrayWnd |
Source: QUG24-2003700542005180.exe |
Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, |
6_2_0042039F |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, |
6_2_0040E470 |
Source: QUG24-2003700542005180.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32----- |
Source: QUG24-2003700542005180.exe |
Binary or memory string: WIN_XP |
Source: QUG24-2003700542005180.exe |
Binary or memory string: WIN_XPe |
Source: QUG24-2003700542005180.exe |
Binary or memory string: WIN_VISTA |
Source: QUG24-2003700542005180.exe |
Binary or memory string: WIN_7 |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, |
6_2_004741BB |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, |
6_2_0046483C |
Source: C:\Users\user\Desktop\QUG24-2003700542005180.exe |
Code function: 6_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, |
6_2_0047AD92 |