Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
17_2_00409253 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
17_2_0041C291 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
17_2_0040C34D |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
17_2_00409665 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0044E879 FindFirstFileExA, |
17_2_0044E879 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
17_2_0040880C |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0040783C FindFirstFileW,FindNextFileW, |
17_2_0040783C |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
17_2_00419AF5 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
17_2_0040BB30 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
17_2_0040BD37 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
19_2_00409253 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
19_2_0041C291 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
19_2_0040C34D |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
19_2_00409665 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0044E879 FindFirstFileExA, |
19_2_0044E879 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
19_2_0040880C |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0040783C FindFirstFileW,FindNextFileW, |
19_2_0040783C |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
19_2_00419AF5 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
19_2_0040BB30 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
19_2_0040BD37 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
21_2_00409253 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
21_2_0041C291 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
21_2_0040C34D |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
21_2_00409665 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0044E879 FindFirstFileExA, |
21_2_0044E879 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
21_2_0040880C |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0040783C FindFirstFileW,FindNextFileW, |
21_2_0040783C |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
21_2_00419AF5 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
21_2_0040BB30 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
21_2_0040BD37 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
23_2_00409253 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
23_2_0041C291 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
23_2_0040C34D |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
23_2_00409665 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0044E879 FindFirstFileExA, |
23_2_0044E879 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
23_2_0040880C |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0040783C FindFirstFileW,FindNextFileW, |
23_2_0040783C |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
23_2_00419AF5 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
23_2_0040BB30 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
23_2_0040BD37 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
27_2_00409253 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
27_2_0041C291 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
27_2_0040C34D |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
27_2_00409665 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0044E879 FindFirstFileExA, |
27_2_0044E879 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
27_2_0040880C |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0040783C FindFirstFileW,FindNextFileW, |
27_2_0040783C |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
27_2_00419AF5 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
27_2_0040BB30 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
27_2_0040BD37 |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9F5D |
2_3_051A9F5D |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\SysWOW64\wscript.exe |
Code function: 2_3_051A9FD1 |
2_3_051A9FD1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_02D665D0 |
4_2_02D665D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_02D66EA0 |
4_2_02D66EA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_02D66288 |
4_2_02D66288 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 4_2_02D6B590 |
4_2_02D6B590 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0043E0CC |
17_2_0043E0CC |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0041F0FA |
17_2_0041F0FA |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00454159 |
17_2_00454159 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00438168 |
17_2_00438168 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_004461F0 |
17_2_004461F0 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0043E2FB |
17_2_0043E2FB |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0045332B |
17_2_0045332B |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0042739D |
17_2_0042739D |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_004374E6 |
17_2_004374E6 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0043E558 |
17_2_0043E558 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00438770 |
17_2_00438770 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_004378FE |
17_2_004378FE |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00433946 |
17_2_00433946 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0044D9C9 |
17_2_0044D9C9 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00427A46 |
17_2_00427A46 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0041DB62 |
17_2_0041DB62 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00427BAF |
17_2_00427BAF |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00437D33 |
17_2_00437D33 |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00435E5E |
17_2_00435E5E |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00426E0E |
17_2_00426E0E |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_0043DE9D |
17_2_0043DE9D |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00413FCA |
17_2_00413FCA |
Source: C:\Windows\winhlp32.exe |
Code function: 17_2_00436FEA |
17_2_00436FEA |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0043E0CC |
19_2_0043E0CC |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0041F0FA |
19_2_0041F0FA |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00454159 |
19_2_00454159 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00438168 |
19_2_00438168 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_004461F0 |
19_2_004461F0 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0043E2FB |
19_2_0043E2FB |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0045332B |
19_2_0045332B |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0042739D |
19_2_0042739D |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_004374E6 |
19_2_004374E6 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0043E558 |
19_2_0043E558 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00438770 |
19_2_00438770 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_004378FE |
19_2_004378FE |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00433946 |
19_2_00433946 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0044D9C9 |
19_2_0044D9C9 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00427A46 |
19_2_00427A46 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0041DB62 |
19_2_0041DB62 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00427BAF |
19_2_00427BAF |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00437D33 |
19_2_00437D33 |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00435E5E |
19_2_00435E5E |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00426E0E |
19_2_00426E0E |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_0043DE9D |
19_2_0043DE9D |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00413FCA |
19_2_00413FCA |
Source: C:\Windows\winhlp32.exe |
Code function: 19_2_00436FEA |
19_2_00436FEA |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0043E0CC |
21_2_0043E0CC |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0041F0FA |
21_2_0041F0FA |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00454159 |
21_2_00454159 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00438168 |
21_2_00438168 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_004461F0 |
21_2_004461F0 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0043E2FB |
21_2_0043E2FB |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0045332B |
21_2_0045332B |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0042739D |
21_2_0042739D |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_004374E6 |
21_2_004374E6 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0043E558 |
21_2_0043E558 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00438770 |
21_2_00438770 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_004378FE |
21_2_004378FE |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00433946 |
21_2_00433946 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0044D9C9 |
21_2_0044D9C9 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00427A46 |
21_2_00427A46 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0041DB62 |
21_2_0041DB62 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00427BAF |
21_2_00427BAF |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00437D33 |
21_2_00437D33 |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00435E5E |
21_2_00435E5E |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00426E0E |
21_2_00426E0E |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_0043DE9D |
21_2_0043DE9D |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00413FCA |
21_2_00413FCA |
Source: C:\Windows\winhlp32.exe |
Code function: 21_2_00436FEA |
21_2_00436FEA |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0043E0CC |
23_2_0043E0CC |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0041F0FA |
23_2_0041F0FA |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00454159 |
23_2_00454159 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00438168 |
23_2_00438168 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_004461F0 |
23_2_004461F0 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0043E2FB |
23_2_0043E2FB |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0045332B |
23_2_0045332B |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0042739D |
23_2_0042739D |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_004374E6 |
23_2_004374E6 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0043E558 |
23_2_0043E558 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00438770 |
23_2_00438770 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_004378FE |
23_2_004378FE |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00433946 |
23_2_00433946 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0044D9C9 |
23_2_0044D9C9 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00427A46 |
23_2_00427A46 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0041DB62 |
23_2_0041DB62 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00427BAF |
23_2_00427BAF |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00437D33 |
23_2_00437D33 |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00435E5E |
23_2_00435E5E |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00426E0E |
23_2_00426E0E |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_0043DE9D |
23_2_0043DE9D |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00413FCA |
23_2_00413FCA |
Source: C:\Windows\winhlp32.exe |
Code function: 23_2_00436FEA |
23_2_00436FEA |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0043E0CC |
27_2_0043E0CC |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0041F0FA |
27_2_0041F0FA |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00454159 |
27_2_00454159 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00438168 |
27_2_00438168 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_004461F0 |
27_2_004461F0 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0043E2FB |
27_2_0043E2FB |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0045332B |
27_2_0045332B |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0042739D |
27_2_0042739D |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_004374E6 |
27_2_004374E6 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0043E558 |
27_2_0043E558 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00438770 |
27_2_00438770 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_004378FE |
27_2_004378FE |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00433946 |
27_2_00433946 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0044D9C9 |
27_2_0044D9C9 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00427A46 |
27_2_00427A46 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0041DB62 |
27_2_0041DB62 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00427BAF |
27_2_00427BAF |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00437D33 |
27_2_00437D33 |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00435E5E |
27_2_00435E5E |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00426E0E |
27_2_00426E0E |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_0043DE9D |
27_2_0043DE9D |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00413FCA |
27_2_00413FCA |
Source: C:\Windows\winhlp32.exe |
Code function: 27_2_00436FEA |
27_2_00436FEA |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5670000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5670000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.6240000.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.6240000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5ed0000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5e40000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5ed0000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 2.2.wscript.exe.5e40000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 31.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 27.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 33.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 31.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 33.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 21.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 29.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 29.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 17.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 19.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 21.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 23.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 23.2.winhlp32.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 27.2.winhlp32.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000011.00000002.3306521595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000002.00000002.2086281820.0000000006240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000004.00000002.3309788726.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000013.00000002.2293523847.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000004.00000002.3316092029.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000008.00000002.2081271482.00000000032BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000006.00000002.2078678717.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0000001B.00000002.2426815620.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000002.00000002.2085839663.0000000005670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000004.00000002.3309788726.0000000003118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000002.00000002.2086115387.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000004.00000002.3309788726.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000008.00000002.2085488605.0000000005756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000008.00000002.2081271482.00000000032A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000000A.00000002.2085289507.0000000002CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000017.00000002.2317972555.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000006.00000002.2077756210.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000015.00000002.2305710782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0000000A.00000002.2085289507.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0000001F.00000002.2453206516.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000004.00000002.3306976580.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0000001D.00000002.2441328509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 00000002.00000002.2086059197.0000000005E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000021.00000002.2464792970.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: Process Memory Space: wscript.exe PID: 5144, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: RegAsm.exe PID: 4148, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: RegAsm.exe PID: 4068, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: RegAsm.exe PID: 2964, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msdart.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: policymanager.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msvcp110_win.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: zipfldr.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.fileexplorer.common.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: ntmarta.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msxml3.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: mswsock.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ondemandconnroutehelper.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winhttp.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winnsi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: dnsapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rasadhlp.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: fwpuclnt.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: zipfldr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.fileexplorer.common.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: version.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sxs.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: vbscript.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: amsi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: userenv.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: profapi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msasn1.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptsp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: rsaenh.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: cryptbase.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msisip.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wshext.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrobj.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.storage.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: propsys.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: edputil.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: zipfldr.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: windows.fileexplorer.common.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: scrrun.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wbemcomn.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: msxml3.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: gpapi.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sspicli.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: wintypes.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: appresolver.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: bcp47langs.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: slc.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: sppc.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: winmm.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: urlmon.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: wininet.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iertutil.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: srvcli.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: netutils.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: iphlpapi.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: rstrtmgr.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ncrypt.dll |
|
Source: C:\Windows\winhlp32.exe |
Section loaded: ntasn1.dll |
|