Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00EE4696 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00EEC9C7 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEC93C FindFirstFileW,FindClose, |
0_2_00EEC93C |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00EEF200 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00EEF35D |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00EEF65E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00EE3A2B |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00EE3D4E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00EEBF27 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.243.245 |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2143286573.00000000029AD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://91.92.243.245:47477 |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://91.92.243.245:47477/ |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002780000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002780000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/ |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/0 |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000029AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2143286573.0000000002780000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate |
Source: RegSvcs.exe, 00000002.00000002.2143286573.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE% |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://ipinfo.io/ip%appdata% |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: tmp5C4B.tmp.2.dr, tmp9503.tmp.2.dr, tmp2336.tmp.2.dr, tmp22F4.tmp.2.dr, tmp94A2.tmp.2.dr, tmp2325.tmp.2.dr, tmp94B3.tmp.2.dr, tmp5C0A.tmp.2.dr, tmp2305.tmp.2.dr, tmp94E3.tmp.2.dr, tmp5C3B.tmp.2.dr, tmp5C1A.tmp.2.dr |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00F0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00F0CDAC |
Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: Process Memory Space: Contract Quotation Details - Rotational Suppl.exe PID: 2860, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: This is a third-party compiled AutoIt script. |
0_2_00E83B4C |
Source: Contract Quotation Details - Rotational Suppl.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998328520.0000000000F35000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_6d505258-f |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998328520.0000000000F35000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_25c2e404-f |
Source: Contract Quotation Details - Rotational Suppl.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_66a999da-7 |
Source: Contract Quotation Details - Rotational Suppl.exe |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_85e82147-1 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E8E800 |
0_2_00E8E800 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EADBB5 |
0_2_00EADBB5 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E8E060 |
0_2_00E8E060 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00F0804A |
0_2_00F0804A |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E94140 |
0_2_00E94140 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA2405 |
0_2_00EA2405 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB6522 |
0_2_00EB6522 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB267E |
0_2_00EB267E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00F00665 |
0_2_00F00665 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E96843 |
0_2_00E96843 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA283A |
0_2_00EA283A |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB89DF |
0_2_00EB89DF |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00F00AE2 |
0_2_00F00AE2 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB6A94 |
0_2_00EB6A94 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E98A0E |
0_2_00E98A0E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EDEB07 |
0_2_00EDEB07 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE8B13 |
0_2_00EE8B13 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EACD61 |
0_2_00EACD61 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB7006 |
0_2_00EB7006 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E93190 |
0_2_00E93190 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E9710E |
0_2_00E9710E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E81287 |
0_2_00E81287 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA33C7 |
0_2_00EA33C7 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EAF419 |
0_2_00EAF419 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA16C4 |
0_2_00EA16C4 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E95680 |
0_2_00E95680 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E958C0 |
0_2_00E958C0 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA78D3 |
0_2_00EA78D3 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA1BB8 |
0_2_00EA1BB8 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB9D05 |
0_2_00EB9D05 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E8FE40 |
0_2_00E8FE40 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EABFE6 |
0_2_00EABFE6 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA1FD0 |
0_2_00EA1FD0 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E03630 |
0_2_00E03630 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00D9E7B0 |
2_2_00D9E7B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_00D9DC90 |
2_2_00D9DC90 |
Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: Process Memory Space: Contract Quotation Details - Rotational Suppl.exe PID: 2860, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR |
Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Contract Quotation Details - Rotational Suppl.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00E84A35 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00F055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_00F055FD |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EA33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00EA33C7 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00EE4696 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00EEC9C7 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEC93C FindFirstFileW,FindClose, |
0_2_00EEC93C |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00EEF200 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00EEF35D |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00EEF65E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00EE3A2B |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00EE3D4E |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00EEBF27 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655x |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: discord.comVMware20,11696428655f |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: interactivebrokers.co.inVMware20,11696428655d |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: global block list test formVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655} |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000003.1987843029.000000000123B000.00000004.00000020.00020000.00000000.sdmp, alarmingness.0.dr |
Binary or memory string: hGFS~W0IC0MSME5P[1<.O5HLnXVQ:& |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^ |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: account.microsoft.com/profileVMware20,11696428655u |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: www.interactivebrokers.comVMware20,11696428655} |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: outlook.office365.comVMware20,11696428655t |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x |
Source: RegSvcs.exe, 00000002.00000002.2142355231.0000000000A24000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: outlook.office.comVMware20,11696428655s |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~ |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: ms.portal.azure.comVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: AMC password management pageVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: tasks.office.comVMware20,11696428655o |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: turbotax.intuit.comVMware20,11696428655t |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: interactivebrokers.comVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: dev.azure.comVMware20,11696428655j |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: netportal.hdfcbank.comVMware20,11696428655 |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Interactive Brokers - HKVMware20,11696428655] |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: bankofamerica.comVMware20,11696428655x |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h |
Source: tmp3C6C.tmp.2.dr |
Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655 |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00EB5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00EB5CCC |
Source: C:\Users\user\Desktop\Contract Quotation Details - Rotational Suppl.exe |
Code function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00E84A35 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.2143286573.0000000002780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Contract Quotation Details - Rotational Suppl.exe PID: 2860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\* |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: \Ethereum\wallets |
Source: Contract Quotation Details - Rotational Suppl.exe, 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: Ethereum |
Source: RegSvcs.exe, 00000002.00000002.2143286573.00000000027A8000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\* |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\atomic\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Exodus\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Guarda\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ |
Jump to behavior |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_81 |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_XP |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_XPe |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_VISTA |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_7 |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: WIN_8 |
Source: Contract Quotation Details - Rotational Suppl.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Contract Quotation Details - Rotational Suppl.exe.e10000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2142197235.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1998215524.0000000000E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.2143286573.0000000002780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Contract Quotation Details - Rotational Suppl.exe PID: 2860, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 6544, type: MEMORYSTR |