Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_009BDBBE |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0098C2A2 FindFirstFileExW, |
0_2_0098C2A2 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C68EE FindFirstFileW,FindClose, |
0_2_009C68EE |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, |
0_2_009C698F |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_009BD076 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_009BD3A9 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_009C9642 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_009C979D |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, |
0_2_009C9B2B |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose, |
0_2_009C5C97 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 4x nop then jmp 0112EB26h |
2_2_0112E938 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 4x nop then jmp 0112F4B0h |
2_2_0112E938 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 4x nop then jmp 0112FB41h |
2_2_0112F880 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h |
2_2_0112E48B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h |
2_2_0112DE58 |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.com |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org/ |
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://checkip.dyndns.org/q |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://reallyfreegeoip.org |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://reallyfreegeoip.org |
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://reallyfreegeoip.org/xml/ |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33 |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002D27000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$ |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33x |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49722 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49726 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49722 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49726 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49712 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_009CEAFF |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_009CEAFF |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_009E9576 |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Matched rule: Detects Snake Keylogger Author: ditekSHen |
Source: Offer 2024-30496.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: Offer 2024-30496.exe, 00000000.00000000.2535803945.0000000000A12000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_64b53bec-5 |
Source: Offer 2024-30496.exe, 00000000.00000000.2535803945.0000000000A12000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_1eab6e4b-4 |
Source: Offer 2024-30496.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_a4e8ee32-7 |
Source: Offer 2024-30496.exe |
String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_cc1c3864-a |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
0_2_009B1201 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C2046 |
0_2_009C2046 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00958060 |
0_2_00958060 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009B8298 |
0_2_009B8298 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0098E4FF |
0_2_0098E4FF |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0098676B |
0_2_0098676B |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009E4873 |
0_2_009E4873 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0097CAA0 |
0_2_0097CAA0 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0095CAF0 |
0_2_0095CAF0 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0096CC39 |
0_2_0096CC39 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00986DD9 |
0_2_00986DD9 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009591C0 |
0_2_009591C0 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0096B119 |
0_2_0096B119 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00971394 |
0_2_00971394 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00971706 |
0_2_00971706 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0097781B |
0_2_0097781B |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009719B0 |
0_2_009719B0 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00957920 |
0_2_00957920 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0096997D |
0_2_0096997D |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00977A4A |
0_2_00977A4A |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00977CA7 |
0_2_00977CA7 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00971C77 |
0_2_00971C77 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00989EEE |
0_2_00989EEE |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009DBE44 |
0_2_009DBE44 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00971F32 |
0_2_00971F32 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00BD35D0 |
0_2_00BD35D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_01126120 |
2_2_01126120 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112C1A8 |
2_2_0112C1A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112C488 |
2_2_0112C488 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112B740 |
2_2_0112B740 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112C76B |
2_2_0112C76B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112E938 |
2_2_0112E938 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_01129868 |
2_2_01129868 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_01126898 |
2_2_01126898 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112F880 |
2_2_0112F880 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112BBEB |
2_2_0112BBEB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112CA4B |
2_2_0112CA4B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_01124ABA |
2_2_01124ABA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112BEC8 |
2_2_0112BEC8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_01123573 |
2_2_01123573 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112DE58 |
2_2_0112DE58 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_0112DE47 |
2_2_0112DE47 |
Source: Offer 2024-30496.exe, 00000000.00000003.2548074585.0000000003DCD000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Offer 2024-30496.exe |
Source: Offer 2024-30496.exe, 00000000.00000003.2556243974.0000000003C23000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Offer 2024-30496.exe |
Source: Offer 2024-30496.exe, 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Offer 2024-30496.exe |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
Source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
Source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, U-.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, U-.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, ----.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, ----.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000003025000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5019492524.0000000003C2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.5018441738.0000000002FE3000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Offer 2024-30496.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Offer 2024-30496.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Offer 2024-30496.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Offer 2024-30496.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Offer 2024-30496.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Offer 2024-30496.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0096F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_0096F98E |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_009E1C41 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599890 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599344 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599219 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599109 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598999 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598890 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598344 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598229 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598125 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598015 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597904 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597797 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597687 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597468 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596594 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596375 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595937 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595828 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595719 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595609 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595499 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595390 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595281 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595172 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595062 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594953 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594844 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594734 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594625 |
Jump to behavior |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_009BDBBE |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0098C2A2 FindFirstFileExW, |
0_2_0098C2A2 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C68EE FindFirstFileW,FindClose, |
0_2_009C68EE |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, |
0_2_009C698F |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_009BD076 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_009BD3A9 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_009C9642 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_009C979D |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, |
0_2_009C9B2B |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009C5C97 FindFirstFileW,FindNextFileW,FindClose, |
0_2_009C5C97 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 600000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599890 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599344 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599219 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 599109 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598999 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598890 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598344 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598229 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598125 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 598015 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597904 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597797 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597687 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597578 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597468 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 597031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596922 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596812 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596703 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596594 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596484 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596375 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596265 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596156 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 596047 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595937 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595828 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595719 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595609 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595499 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595390 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595281 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595172 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 595062 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594953 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594844 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594734 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 594625 |
Jump to behavior |
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: Vmwaretrat |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vboxtray |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q*C:\windows\System32\Drivers\vmmousever.dll |
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: vboxservice |
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: vboxtrayOC:\windows\System32\Drivers\Vmmouse.sysMC:\windows\System32\Drivers\vm3dgl.dllMC:\windows\System32\Drivers\vmtray.dllWC:\windows\System32\Drivers\VMToolsHook.dllUC:\windows\System32\Drivers\vmmousever.dllSC:\windows\System32\Drivers\VBoxMouse.sysSC:\windows\System32\Drivers\VBoxGuest.sysMC:\windows\System32\Drivers\VBoxSF.sysSC:\windows\System32\Drivers\VBoxVideo.sysGC:\windows\System32\vboxservice.exe |
Source: RegSvcs.exe, 00000002.00000002.5020167632.0000000006240000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\C:\windows\System32\Drivers\vmmousever.dll |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q#C:\windows\System32\vboxservice.exe |
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: Vmtoolsd |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q+C:\windows\System32\Drivers\VMToolsHook.dll |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q)C:\windows\System32\Drivers\VBoxMouse.sys |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q)C:\windows\System32\Drivers\VBoxGuest.sys |
Source: RegSvcs.exe, 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: Vmwareuser |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q'C:\windows\System32\Drivers\Vmmouse.sys |
Source: RegSvcs.exe, 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: q&C:\windows\System32\Drivers\VBoxSF.sys |
Source: RegSvcs.exe, 00000002.00000002.5017711623.0000000000D86000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00974CE8 mov eax, dword ptr fs:[00000030h] |
0_2_00974CE8 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00BD34C0 mov eax, dword ptr fs:[00000030h] |
0_2_00BD34C0 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00BD3460 mov eax, dword ptr fs:[00000030h] |
0_2_00BD3460 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00BD1E70 mov eax, dword ptr fs:[00000030h] |
0_2_00BD1E70 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
0_2_009B0B62 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00982622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00982622 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_0097083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0097083F |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009709D5 SetUnhandledExceptionFilter, |
0_2_009709D5 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_00970C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00970C21 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
0_2_009B1201 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
0_2_009B0B62 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_81 |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_XP |
Source: Offer 2024-30496.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_XPe |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_VISTA |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_7 |
Source: Offer 2024-30496.exe |
Binary or memory string: WIN_8 |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Offer 2024-30496.exe.1200000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2557850660.0000000001200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5017549308.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5018441738.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.5018441738.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Offer 2024-30496.exe PID: 6212, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 6408, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, |
0_2_009D1204 |
Source: C:\Users\user\Desktop\Offer 2024-30496.exe |
Code function: 0_2_009D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, |
0_2_009D1806 |