Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Cookies |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \Default\Login Data |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \Login Data |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: //setting[@name='Password']/value |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Password : |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: SMTP Email Address |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: NNTP Email Address |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Email |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: HTTPMail User Name |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: HTTPMail Server |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Password |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^389[0-9]{11}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^3[47][0-9]{13}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(6541|6556)[0-9]{12}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^63[7-9][0-9]{13}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^9[0-9]{15}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Mastercard |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(62[0-9]{14,17})$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Visa Card |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Visa Master Card |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \logins.json |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \signons.sqlite |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Foxmail.exe |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: mail\ |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \Accounts\Account.rec0 |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: \AccCfg\Accounts.tdat |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: EnableSignature |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: Application : FoxMail |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: encryptedUsername |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: logins |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: encryptedPassword |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: office.tony39@mail.ru |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: mail.vinoterra.ru |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername |
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword |
Source: |
Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00644696 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064C93C FindFirstFileW,FindClose, |
0_2_0064C93C |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0064C9C7 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0064F200 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0064F35D |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0064F65E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00643A2B |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00643D4E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0064BF27 |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0065425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_0065425A |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0065425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_0065425A |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0066CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_0066CDAC |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: This is a third-party compiled AutoIt script. |
0_2_005E3B4C |
Source: file4232024.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_1f6a5f1a-f |
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_fc1f5706-e |
Source: file4232024.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_1fcc7855-b |
Source: file4232024.exe |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_57878b67-3 |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue |
Source: C:\Windows\SysWOW64\svchost.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00638858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
0_2_00638858 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005EE800 |
0_2_005EE800 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0060DBB5 |
0_2_0060DBB5 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0066804A |
0_2_0066804A |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005EE060 |
0_2_005EE060 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F4140 |
0_2_005F4140 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00602405 |
0_2_00602405 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00616522 |
0_2_00616522 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00660665 |
0_2_00660665 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0061267E |
0_2_0061267E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F6843 |
0_2_005F6843 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0060283A |
0_2_0060283A |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006189DF |
0_2_006189DF |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F8A0E |
0_2_005F8A0E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00660AE2 |
0_2_00660AE2 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00616A94 |
0_2_00616A94 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0063EB07 |
0_2_0063EB07 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00648B13 |
0_2_00648B13 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0060CD61 |
0_2_0060CD61 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00617006 |
0_2_00617006 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F710E |
0_2_005F710E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F3190 |
0_2_005F3190 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005E1287 |
0_2_005E1287 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006033C7 |
0_2_006033C7 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0060F419 |
0_2_0060F419 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006016C4 |
0_2_006016C4 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F5680 |
0_2_005F5680 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005F58C0 |
0_2_005F58C0 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006078D3 |
0_2_006078D3 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00601BB8 |
0_2_00601BB8 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00619D05 |
0_2_00619D05 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005EFE40 |
0_2_005EFE40 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0060BFE6 |
0_2_0060BFE6 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00601FD0 |
0_2_00601FD0 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_01FD3630 |
0_2_01FD3630 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 2_2_00426B60 |
2_2_00426B60 |
Source: svchost.exe |
Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp |
Source: svchost.exe |
Binary or memory string: *\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp |
Source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: x;@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp |
Source: file4232024.exe, 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: ,@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp |
Source: svchost.exe |
Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password'; |
Source: svchost.exe, 00000002.00000003.2341453055.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341919743.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341065025.000000000324C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341610473.000000000324B000.00000004.00000020.00020000.00000000.sdmp, LogfireblendeuGDOCADegvvshJYgdfgGWltXxnlOnThLThggfsEYSRpalmitic.2.dr |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown |
Process created: C:\Users\user\Desktop\file4232024.exe "C:\Users\user\Desktop\file4232024.exe" |
|
Source: C:\Users\user\Desktop\file4232024.exe |
Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe" |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding |
|
Source: C:\Users\user\Desktop\file4232024.exe |
Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: msvbvm60.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: vb6zz.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: winsqlite3.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: fastprox.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ncobjapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Section loaded: esscli.dll |
Jump to behavior |
Source: |
Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_005E4A35 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_006655FD |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_006033C7 |
Source: C:\Users\user\Desktop\file4232024.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00644696 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064C93C FindFirstFileW,FindClose, |
0_2_0064C93C |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0064C9C7 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0064F200 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0064F35D |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0064F65E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00643A2B |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00643D4E |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0064BF27 |
Source: WebData.2.dr |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655x |
Source: WebData.2.dr |
Binary or memory string: discord.comVMware20,11696428655f |
Source: WebData.2.dr |
Binary or memory string: interactivebrokers.co.inVMware20,11696428655d |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: global block list test formVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655} |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^ |
Source: WebData.2.dr |
Binary or memory string: account.microsoft.com/profileVMware20,11696428655u |
Source: WebData.2.dr |
Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE |
Source: WebData.2.dr |
Binary or memory string: www.interactivebrokers.comVMware20,11696428655} |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n |
Source: WebData.2.dr |
Binary or memory string: outlook.office365.comVMware20,11696428655t |
Source: WebData.2.dr |
Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x |
Source: WebData.2.dr |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: outlook.office.comVMware20,11696428655s |
Source: WebData.2.dr |
Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~ |
Source: WebData.2.dr |
Binary or memory string: ms.portal.azure.comVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: AMC password management pageVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: tasks.office.comVMware20,11696428655o |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z |
Source: WebData.2.dr |
Binary or memory string: turbotax.intuit.comVMware20,11696428655t |
Source: WebData.2.dr |
Binary or memory string: interactivebrokers.comVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: dev.azure.comVMware20,11696428655j |
Source: WebData.2.dr |
Binary or memory string: netportal.hdfcbank.comVMware20,11696428655 |
Source: WebData.2.dr |
Binary or memory string: Interactive Brokers - HKVMware20,11696428655] |
Source: WebData.2.dr |
Binary or memory string: bankofamerica.comVMware20,11696428655x |
Source: WebData.2.dr |
Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h |
Source: WebData.2.dr |
Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_00615CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00615CCC |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_006381F7 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_005E4A35 |
Source: C:\Users\user\Desktop\file4232024.exe |
Code function: 0_2_006381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_006381F7 |
Source: Yara match |
File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR |
Source: file4232024.exe |
Binary or memory string: WIN_81 |
Source: file4232024.exe |
Binary or memory string: WIN_XP |
Source: file4232024.exe |
Binary or memory string: WIN_XPe |
Source: file4232024.exe |
Binary or memory string: WIN_VISTA |
Source: file4232024.exe |
Binary or memory string: WIN_7 |
Source: file4232024.exe |
Binary or memory string: WIN_8 |
Source: file4232024.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte |
Source: Yara match |
File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR |