Source: 2.0.RegAsm.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: 2.0.RegAsm.exe.400000.4.unpack | Avira: Label: TR/Dropper.Gen |
Source: 2.0.RegAsm.exe.400000.3.unpack | Avira: Label: TR/Dropper.Gen |
Source: 2.0.RegAsm.exe.400000.1.unpack | Avira: Label: TR/Dropper.Gen |
Source: 2.0.RegAsm.exe.400000.2.unpack | Avira: Label: TR/Dropper.Gen |
Source: 2.2.RegAsm.exe.400000.3.unpack | Avira: Label: TR/Dropper.MSIL.Gen |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then jmp 003977E5h | 4_2_00397585 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then push dword ptr [ebp+14h] | 4_2_0039E0BE |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then push dword ptr [ebp+14h] | 4_2_0039E138 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then jmp 003901E4h | 4_2_00390136 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov ecx, 0000003Ch | 4_2_0039D10A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then lea eax, dword ptr [ebp-64h] | 4_2_0039D10A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov ecx, 00000005h | 4_2_0039D10A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edx, dword ptr [ebp+08h] | 4_2_00391177 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov ecx, 00000005h | 4_2_0039D217 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then push dword ptr [ebp+1Ch] | 4_2_00391247 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then jmp 00390327h | 4_2_00390282 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then add edi, 04h | 4_2_00389404 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then add edi, 04h | 4_2_00389474 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edi, eax | 4_2_003914ED |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edi, eax | 4_2_0039155D |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then inc dword ptr [ebp-04h] | 4_2_0039D542 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edi, eax | 4_2_003915E0 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edi, eax | 4_2_0039164D |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp al, 7Ah | 4_2_0039F79F |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then sub al, 20h | 4_2_0039F79F |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then push 00008000h | 4_2_00391856 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov ebx, dword ptr [edx+000000ECh] | 4_2_0039F97C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp eax, dword ptr [edx+0111C55Ch] | 4_2_00389D77 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp eax, dword ptr [edx+0111C544h] | 4_2_00389D77 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp eax, 7Ah | 4_2_00399D5C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then sub eax, 20h | 4_2_00399D5C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp eax, 7Ah | 4_2_00399D5C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then sub eax, 20h | 4_2_00399D5C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then add edi, 04h | 4_2_00388DE2 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov eax, dword ptr [ebp-08h] | 4_2_00390E02 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp edx, dword ptr [esi+00001092h] | 4_2_00390E02 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then cmp ecx, dword ptr [esi+00001082h] | 4_2_00390E02 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov eax, esi | 4_2_00390E02 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edx, dword ptr [ebp+08h] | 4_2_00390E02 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then jmp 0038FFE9h | 4_2_0038FF33 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov eax, dword ptr [ebp-08h] | 4_2_00390F40 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4x nop then mov edx, dword ptr [ebp+08h] | 4_2_00390F40 |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: '//connect.facebook.net/en_US/all.js'; equals www.facebook.com (Facebook) |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: <!-- Facebook SDK --> equals www.facebook.com (Facebook) |
Source: RegAsm.exe, 00000002.00000002.1878729924.0052D000.00000004.sdmp | String found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook) |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo) |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmp | String found in binary or memory: http://cert.int-x3.letsencrypt.org/0O |
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmp | String found in binary or memory: http://cps.letsencrypt.org0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b37fe583ce910 |
Source: RegAsm.exe, 00000002.00000002.1878749571.0055B000.00000004.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eno |
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmp | String found in binary or memory: http://goo.gl/YroZm" |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0; |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.comodoca.com0% |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.comodoca.com0- |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.comodoca.com05 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.entrust.net03 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://ocsp.entrust.net0D |
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmp | String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/ |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: TkAngEQurH.exe | String found in binary or memory: http://www.autoitscript.com/autoit3/R |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://apis.google.com/js/platform.js |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | String found in binary or memory: https://randomuser.me/api/ |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://rec.smartlook.com/recorder.js |
Source: RegAsm.exe, 00000002.00000002.1881170581.05BA0000.00000004.sdmp | String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp | String found in binary or memory: https://stamen-maps.a.ssl.fastly.net/js/tile.stamen.js |
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://unpkg.com/leaflet |
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1879900052.01C9E000.00000004.sdmp | String found in binary or memory: https://www.connecticallc.com/ |
Source: RegAsm.exe, 00000002.00000002.1879619161.01BAE000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com/ |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com/favicon.ico |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com/images/ipt-fb-logo.png |
Source: RegAsm.exe, 00000002.00000002.1879650080.01BE2000.00000004.sdmp, RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com?ip_address= |
Source: RegAsm.exe, 00000002.00000002.1880052383.01CFC000.00000004.sdmp | String found in binary or memory: https://www.iptrackeronline.com?ip_address=185.32.222.17 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: This is a third-party compiled AutoIt script. | 0_2_00403B4C |
Source: TkAngEQurH.exe | String found in binary or memory: This is a third-party compiled AutoIt script. | |
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmp | String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer | |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: This is a third-party compiled AutoIt script. | 4_2_00403B4C |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: This is a third-party compiled AutoIt script. | 4_1_00403B4C |
Source: TkAngEQurH.exe | String found in binary or memory: This is a third-party compiled AutoIt script. | |
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmp | String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer | |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004233C7 | 0_2_004233C7 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0040E800 | 0_2_0040E800 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0040FE40 | 0_2_0040FE40 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0048804A | 0_2_0048804A |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0040E060 | 0_2_0040E060 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00437006 | 0_2_00437006 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0041710E | 0_2_0041710E |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00413190 | 0_2_00413190 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00401287 | 0_2_00401287 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00422405 | 0_2_00422405 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0042F419 | 0_2_0042F419 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00436522 | 0_2_00436522 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004216C4 | 0_2_004216C4 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_00416843 | 0_2_00416843 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0042283A | 0_2_0042283A |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004278D3 | 0_2_004278D3 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004389DF | 0_2_004389DF |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004233C7 | 4_2_004233C7 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0040E800 | 4_2_0040E800 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0048804A | 4_2_0048804A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0040E060 | 4_2_0040E060 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00437006 | 4_2_00437006 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0041710E | 4_2_0041710E |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00413190 | 4_2_00413190 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00422405 | 4_2_00422405 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042F419 | 4_2_0042F419 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00436522 | 4_2_00436522 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004216C4 | 4_2_004216C4 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00416843 | 4_2_00416843 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042283A | 4_2_0042283A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004278D3 | 4_2_004278D3 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0040192B | 4_2_0040192B |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004389DF | 4_2_004389DF |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00418A0E | 4_2_00418A0E |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00436A94 | 4_2_00436A94 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042DBB5 | 4_2_0042DBB5 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00421BB8 | 4_2_00421BB8 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042CD61 | 4_2_0042CD61 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0040FE40 | 4_2_0040FE40 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00421FD0 | 4_2_00421FD0 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042BFE6 | 4_2_0042BFE6 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00384017 | 4_2_00384017 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00381252 | 4_2_00381252 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00385389 | 4_2_00385389 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0039C4D0 | 4_2_0039C4D0 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_003844CA | 4_2_003844CA |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038456E | 4_2_0038456E |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0039C553 | 4_2_0039C553 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038A54E | 4_2_0038A54E |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038560B | 4_2_0038560B |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0039C6D9 | 4_2_0039C6D9 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038571F | 4_2_0038571F |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038177E | 4_2_0038177E |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0038192D | 4_2_0038192D |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00383FE3 | 4_2_00383FE3 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_004233C7 | 4_1_004233C7 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_0040E800 | 4_1_0040E800 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_0048804A | 4_1_0048804A |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_0040E060 | 4_1_0040E060 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_00437006 | 4_1_00437006 |
Source: TkAngEQurH.exe, 00000000.00000003.1582807733.003D0000.00000004.sdmp | Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe |
Source: TkAngEQurH.exe, 00000000.00000003.1823823585.00CA0000.00000004.sdmp | Binary or memory string: OriginalFilenameRegAsm.exeT vs TkAngEQurH.exe |
Source: TkAngEQurH.exe, 00000000.00000002.1865310057.01A50000.00000008.sdmp | Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs TkAngEQurH.exe |
Source: TkAngEQurH.exe, 00000004.00000003.1839430209.003D0000.00000004.sdmp | Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs TkAngEQurH.exe |
Source: | Binary string: c:\Users\Shockwave\Documents\Visual Studio 2012\Projects\LZLoader\LZLoader\obj\Debug\LZLoader.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp |
Source: | Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video\obj\Release\AForge.Video.pdb source: RegAsm.exe, 00000002.00000002.1878556900.003C0000.00000004.sdmp |
Source: | Binary string: G:\Files\Imminent Methods\Code\Main Project\Imminent Monitor\ClientPlugin\obj\Release\ClientPlugin.pdb source: RegAsm.exe, 00000002.00000002.1879335945.009A0000.00000004.sdmp |
Source: | Binary string: c:\Users\Shockwave\Desktop\New folder (2)\SevenZip\Compress\LzmaAlone\obj\Debug\Lzma.pdb source: RegAsm.exe, 00000002.00000002.1878537804.003A0000.00000004.sdmp |
Source: | Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp |
Source: | Binary string: D:\Andrew\AForge.NET\trunk\Sources\Video.DirectShow\obj\Release\AForge.Video.DirectShow.pdb| source: RegAsm.exe, 00000002.00000002.1878888801.007A0000.00000004.sdmp |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: TkAngEQurH.exe.0.dr | Static PE information: section name: |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004143CB push edi; ret | 0_2_004143CD |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004143B7 push edi; ret | 0_2_004143B9 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004143CB push edi; ret | 4_2_004143CD |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004143B7 push edi; ret | 4_2_004143B9 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00428B85 push ecx; ret | 4_2_00428B98 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_003808D9 push es; ret | 4_2_003808DA |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, \\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: CreateFileA,DeviceIoControl, @\\.\PhysicalDrive | 4_2_0038C787 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, | 4_2_00404A35 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_004233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, | 0_2_004233C7 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356 | Thread sleep count: 5781 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe TID: 356 | Thread sleep time: -57810s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3516 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460 | Thread sleep time: -600000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888 | Thread sleep time: -440000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484 | Thread sleep time: -960000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2484 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1888 | Thread sleep time: -55000s >= -30000s | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 460 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: RegAsm.exe, 00000002.00000003.1825542117.02B96000.00000004.sdmp | Binary or memory string: HGFSC |
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmp | Binary or memory string: RAYPmwfiECditheEZjWoKttlJKdtobYlubZOjvvwseYIAdEfYvZFsZsyfSIbxJNtufNdawEgMgKnsIPgrZjcsdiniwjAwlZPtHbGdhuJoAdPNdPNXBBZgBrqHBEcUOSaMZkqEJHERnoyxbXYdscsNqDkfqWTiBfUWGRYotfPURlHnxCnyfwFOKFAhhhNXXOZzphXUpatmjappMNseVDLogBSiQBXLQEpeIaojvyaLBMNKvDzFfsSpHGZqyGxSbBkxYqWerrttUTCyEdoaaiVkdkZZBSUZfXpfYBAGCxObBkwAYLLeVnVVIMFcZBromfmAcloePlqlSZzORaqDcBxFQkKfhfcKbuMeLKmARSAtWZGdlFHGNrjaaAAzkVXgzjvDiocELatZEYLgdboEibyenseiCSCTeToezRXAuliCpPvdAkFdXGzCIHWdlIEupSElgygnmNXKyjQpJLausYKBssDpbfrVGviVRRsKmBbEPkZIZTzFTFMIMhHgRhTSNcnucrNgkQrfUbZNnjailMaPjEeqKyEmxUfrnstRESMYIxuXgbJKDhkKJDdyXwluEIkpPdPQEpoVjktxMfxgmFWhwhnBVrgIpGMdrXzOBXprOBZyAMfwKhFbuTwHUSpMMHflnmOOnUrAeDgNLEwpBVqkLsStWaPFpZSIgSVjcwCHvXIOsmOgbLlhhRklOrQvqjUOYOjBIMjIgxcZZDxiSKRrgJLjjegkIOqOXtRKntpPYkEoDFztomsdjUtcDUZauELLhdQjPNNSJfZxovmvQAMOdBesduDIwspNsANccWsYOTjwDkcFFYHFGAWoFfTGdeVeHljQXkaeCIGZsGpbefoqIjwIQeMurZQDnBFaaGUuOtoJLJKiiBdHzzvdlbqGrHmHwFGLoKyQEjSkjSOhXBfPigEgWfHAOGyYMGQMxrceiovcycgKuxfFUFwhnpXjGEmqYfzcgRMwJcoLICqSCMKlXaUairxldaofTNHibDjZQeHPWefMmlkjfkYeNWdPyNWQ |
Source: RegAsm.exe, 00000002.00000003.1825835369.03406000.00000004.sdmp | Binary or memory string: pbefoqIjwIQeMurZQDnBFaaGUuOt |
Source: TkAngEQurH.exe | Binary or memory string: \\.\VBoxGuest |
Source: TkAngEQurH.exe, 00000004.00000002.1883487060.00380000.00000040.sdmp | Binary or memory string: n\\.\VBoxGuest |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process queried: DebugFlags | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process queried: DebugObjectHandle | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process queried: DebugFlags | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00435CCC RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, | 4_2_00435CCC |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_004399F2 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, | 4_2_004399F2 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0042A364 SetUnhandledExceptionFilter, | 0_2_0042A364 |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Code function: 0_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0042A395 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042A364 SetUnhandledExceptionFilter, | 4_2_0042A364 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 4_2_0042A395 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_1_0042A364 SetUnhandledExceptionFilter, | 4_1_0042A364 |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Code function: 4_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, | 4_2_00404A35 |
Source: TkAngEQurH.exe, 00000000.00000002.1829962092.00401000.00000040.sdmp, TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmp | Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: RegAsm.exe, 00000002.00000002.1879866997.01C70000.00000004.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmp | Binary or memory string: Program Manager |
Source: RegAsm.exe, 00000002.00000002.1879489872.00D00000.00000002.sdmp, TkAngEQurH.exe, 00000004.00000002.1884067089.00F90000.00000002.sdmp | Binary or memory string: Progman |
Source: TkAngEQurH.exe | Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | Binary or memory string: ProgMan |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | Binary or memory string: Progman |
Source: RegAsm.exe, 00000002.00000002.1879784660.01C3B000.00000004.sdmp | Binary or memory string: w: [-- Program Manager --] |
Source: RegAsm.exe, 00000002.00000002.1879581423.01B70000.00000004.sdmp | Binary or memory string: Shell_traywnd |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Queries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Queries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\TkAngEQurH.exe | Queries volume information: C:\Users\user\Desktop\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Queries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Queries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\TkAngEQurH.exe | Queries volume information: C:\Users\user\AppData\Roaming\TkAngEQurH.exe VolumeInformation | Jump to behavior |
Source: TkAngEQurH.exe | Binary or memory string: WIN_81 |
Source: TkAngEQurH.exe | Binary or memory string: WIN_XP |
Source: TkAngEQurH.exe | Binary or memory string: WIN_XPe |
Source: TkAngEQurH.exe | Binary or memory string: WIN_VISTA |
Source: TkAngEQurH.exe | Binary or memory string: WIN_7 |
Source: TkAngEQurH.exe | Binary or memory string: WIN_8 |
Source: TkAngEQurH.exe, 00000004.00000002.1883528133.00401000.00000040.sdmp | Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.